A critical security flaw in the open-source Langflow platform, identified as CVE-2025-3248, has been added to the Known Exploited Vulnerabilities catalog due to evidence of exploitation. This vulnerability allows remote unauthenticated attackers to execute arbitrary code, with a CVSS score of 9.8, marking it as a severe threat. Organizations using Langflow are urged to apply the latest fixes by May 26, 2025. Affected: Langflow platform
Keypoints :
- The Langflow security flaw CVE-2025-3248 has been confirmed to enable execution of arbitrary code.
- It has a critical CVSS score of 9.8 and allows unauthenticated remote access to the server.
- Most versions of Langflow are vulnerable, and a patch was released in version 1.3.0 on March 31, 2025.
- The vulnerability was discovered by Horizon3.ai and can be exploited easily, with a proof-of-concept exploit made publicly available.
- Currently, there are 466 internet-exposed Langflow instances, predominantly located in the U.S., Germany, Singapore, India, and China.
- Federal Civilian Executive Branch agencies have until May 26, 2025, to implement the necessary security fixes.
- The incident highlights the necessity for secure authentication and sandboxing measures in applications executing dynamic code.
Read More: https://thehackernews.com/2025/05/critical-langflow-flaw-added-to-cisa.html