Langflow Missing-Authentication Remote Code Execution (CVE-2025-3248)
by langflow-ai (advisory); 0xgh057r3c0n (PoC) · 2026-07-03
- Severity
- Critical
- CVE
- CVE-2025-3248
- Category
- web
- Affected product
- Langflow (open-source AI/LLM workflow builder)
- Affected versions
- Prior to 1.3.0
- Disclosed
- 2026-07-03
- Patch status
- patched
Tags
References
- https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
- https://thehackernews.com/2026/07/ai-agent-exploits-langflow-rce-to.html
- https://www.theregister.com/security/2026/07/02/smooth-ai-criminal-drives-first-end-to-end-agentic-ransomware-attack/5266073
- https://github.com/0xgh057r3c0n/CVE-2025-3248
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-07-03 |
| Last Updated | 2025 |
| Author / Researcher | langflow-ai (advisory); 0xgh057r3c0n (PoC) |
| CVE / Advisory | CVE-2025-3248 |
| Category | web |
| Severity | Critical |
| CVSS Score | 9.8 (CVSSv3) |
| Status | Weaponized |
| Tags | RCE, unauthenticated, missing-authentication, Langflow, AI-application, python-exec, CISA-KEV, agentic-ransomware, JADEPUFFER |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Langflow (open-source AI/LLM workflow builder) |
| Versions Affected | Prior to 1.3.0 |
| Language / Platform | Python |
| Authentication Required | No |
| Network Access Required | Yes (HTTP to Langflow’s /api/v1/validate/code endpoint) |
Summary
CVE-2025-3248 is a missing-authentication vulnerability in Langflow’s code-validation API. The /api/v1/validate/code endpoint accepts and executes arbitrary Python code submitted by any client, with no authentication check on the route, allowing an unauthenticated attacker to achieve full remote code execution on the host running Langflow. Although patched in Langflow 1.3.0 and added to CISA’s KEV catalog in 2025, unpatched instances remain a high-value target: on 2026-07-01, researchers reported “JADEPUFFER” — the first documented fully agentic-AI-driven ransomware — using this exact CVE to autonomously harvest cloud/LLM credentials from compromised Langflow hosts and pivot into production database systems for extortion, demonstrating that older, already-patched CVEs remain dangerous when automated/agentic exploitation lowers the attacker’s operational cost.
Vulnerability Details
Root Cause
The /api/v1/validate/code endpoint, intended to validate user-submitted Python code snippets for Langflow’s visual flow builder, executes the submitted code via Python’s exec() without requiring authentication or sanitizing the input, allowing arbitrary code/command execution.
Attack Vector
- Send an unauthenticated POST request to
/api/v1/validate/codewith acodefield containing a crafted Python snippet. - The payload wraps a
subprocess.check_output()call inside a function default-argumentexec()trick and raises the output as an exception, so the target’s response body (the validation “errors” field) echoes back the command’s stdout. - Parse the returned error message to recover command output, effectively yielding an interactive remote shell.
Impact
Unauthenticated remote code execution as the Langflow service user, enabling credential theft, lateral movement, and (per the JADEPUFFER campaign) autonomous ransomware deployment against downstream production systems.
Environment / Lab Setup
Target: Langflow < 1.3.0
Attacker: Python 3.8+ + requests, colorama
Proof of Concept
PoC Script
See
CVE-2025-3248.pyin this folder.
| |
Drops into an interactive shell (whoami, uname -a, etc.) by repeatedly POSTing crafted Python payloads to /api/v1/validate/code and parsing command output back out of the validation error response.
Detection & Indicators of Compromise
Signs of compromise:
- Unexpected subprocess/child-process creation by the Langflow service process
- Outbound connections to unfamiliar hosts shortly after
/api/v1/validate/codeactivity - Credential-harvesting or database-access patterns inconsistent with normal Langflow operation (JADEPUFFER campaign indicator)
Remediation
| Action | Detail |
|---|---|
| Primary fix | Upgrade Langflow to 1.3.0 or later |
| Interim mitigation | Restrict network access to Langflow’s API to trusted hosts only; do not expose /api/v1/validate/code to the internet |
| Cleanup | If compromise is suspected, rotate all credentials accessible from the Langflow host and audit downstream database/cloud access for JADEPUFFER-style automated extortion activity |
References
- Langflow GitHub Security Advisory GHSA-vwmf-pq79-vjvx
- AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack (JADEPUFFER)
- Smooth AI criminal drives ‘first’ end-to-end agentic ransomware attack (The Register)
- Source repository (0xgh057r3c0n)
Notes
Mirrored from https://github.com/0xgh057r3c0n/CVE-2025-3248 on 2026-07-03. CVE is from 2025 and CISA KEV-listed since then, but remains highly relevant given the 2026-07-01 JADEPUFFER agentic-ransomware report specifically naming this vulnerability as its initial access vector.
| |