BACK_TO_FEED

CVE-2025-3248

CRITICALCVSS: 9.8

Langflow exposes a /api/v1/builder/execute_code endpoint that takes user-supplied Python code and passes it directly to exec() on the backend. Since there's no authentication or sandboxing, attackers can craft arbitrary payloads for code execution.

Published: 4/7/2025
Affected: Langflow ≤ v1.3.0

REFERENCES

NIST

AVAILABLE_EXPLOITS(1)

Exploit for CVE-2025-3248

@b0ySie7e
4/7/2025

This code is strictly intended for educational and research purposes only.

#RCE#Web#Critical
VERIFIED
VIEW_EXPLOIT