The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has identified a critical remote code execution vulnerability, CVE-2025-3248, in Langflow as actively exploited, emphasizing the urgent need for organizations to apply security updates. This vulnerability allows attackers full control over vulnerable servers through a flawed API endpoint. Users are advised to upgrade to version 1.3.0 or later to address the issue.
Keypoints :
- The CVE-2025-3248 vulnerability is a critical unauthenticated RCE flaw affecting Langflow.
- Attackers can exploit an API endpoint to execute malicious code on vulnerable servers.
- Version 1.3.0 released on April 1, 2025, includes a fix for this vulnerability.
- The latest Langflow version, 1.4.0, includes additional fixes and improvements.
- Users unable to upgrade should mitigate risks by placing Langflow behind firewalls or authentication layers.
- CISA has set a deadline of May 26, 2025, for federal agencies to implement updates or stop using Langflow.
- Horizon3 researchers have noted the lack of privilege separation and sandboxing in Langflowβs design.
- At least 500 internet-exposed instances of Langflow were identified as vulnerable.
- CISA has not confirmed whether ransomware groups are exploiting this vulnerability.
Views: 12