CVE-2025-3248

CVSS 3.1 Score 9.8 of 10 (CRITICAL)

Attack Complexity

LOW

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Scope

UNCHANGED

Privileges Required

NONE

Summary

CVE-2025-3248 is a new code injection vulnerability affecting Langflow versions before 1.3.0. This issue permits an unauthenticated attacker to send malicious HTTP requests to the /api/v1/validate/code endpoint, leading to the execution of arbitrary code. The vulnerability poses a serious risk, as it allows an attacker to gain unauthorized access and potentially take control of the affected system. Langflow users are strongly encouraged to update to the latest version to mitigate this threat.

Details

Published: formatDate( 2025-04-07T15:15:44.897 )
Updated: formatDate( 2025-04-09T19:15:50.270 )
CWE ID: CWE-306

Affected Products

Langflow

Affected Vendors

DataStax

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/48L2b6
https://www.cve.org/CVERecord?id=CVE-2025-3248
https://nvd.nist.gov/vuln/detail/CVE-2025-3248