The US cybersecurity agency CISA has issued an alert about a critical vulnerability in Langflow, tracked as CVE-2025-3248, which is currently being exploited. This vulnerability, which allows remote code execution by unauthenticated users, affects versions of Langflow prior to 1.3.0. Organizations are advised to prioritize patching as federal agencies have a deadline of May 26 to implement fixes.
Keypoints :
- CISA issued an alert regarding CVE-2025-3248, a critical Langflow vulnerability with a CVSS score of 9.8.
- The vulnerability is a code injection issue that allows remote, unauthenticated attackers to execute arbitrary code.
- Versions of Langflow prior to 1.3.0 are vulnerable, and there are approximately 460 internet-accessible Langflow hosts.
- The flaw can be exploited to gain control over vulnerable servers, with proof-of-concept exploit code already released.
- While version 1.3.0 adds an authentication requirement, it does not completely resolve the vulnerability.
- CISA included CVE-2025-3248 in the Known Exploited Vulnerabilities catalog, advising swift action for patching.
- Federal agencies must apply patches by May 26, and all organizations are encouraged to address vulnerabilities on CISAβs KEV list urgently.
Read More: https://www.securityweek.com/critical-vulnerability-in-ai-builder-langflow-under-attack/