TLDR : A critical flaw has been discovered in Langflow, an open-source platform for creating AI agents, allowing remote code execution without authentication. The vulnerability, now fixed in version 1.3.0, has been added to CISA's Known Exploited Vulnerabilities Catalog, recommending immediate updates.
A critical vulnerability has been identified by Horizon3.ai researchers in Langflow, an open-source platform for designing AI agent chains. Referenced under the code CVE-2025-3248, this vulnerability allows Remote Code Execution via an endpoint accessible without authentication. The root cause is the direct use of the
exec() function on user-submitted code, without confinement or filtering. Although fixed in version 1.3.0, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it on May 5th to its Known Exploited Vulnerabilities Catalog (KEV), based on evidence of active exploitation.Founded in 2020 and acquired in 2024 by DataStax, Langflow offers a visual interface for creating AI agents and complex workflows from language models, APIs, and databases. This open-source low-code tool targets developers who wish to rapidly prototype generative applications while maintaining granular control over technical components. The platform's engine is based on the LangChain chain, which explains its popularity in retrieval-augmented generation (RAG) and multi-agent projects.
To allow custom component extension, Langflow exposes a code validation endpoint "/api/v1/validate/code". Intended to facilitate user script testing, this mechanism relies on direct Python code execution via
exec() without access control or secure environment (sandboxing). This results in a critical vulnerability: a simple HTTP request can, without authentication, take control of the underlying server.This vulnerability, highlighted by Horizon3.ai's offensive research team specializing in proactive vulnerability detection, is rated critical, scoring 9.8/10 on the Common Vulnerability Scoring System (CVSS) scale. The detailed publication not only exposes the flaw but also provides an accessible proof of concept, making the risks concrete and understandable for a broad technical audience.
Recommendations
Following the disclosure, CISA issued a security alert recommending immediate updates to version 1.3.0, released on March 31st, for government agencies and enterprises, as earlier versions are susceptible to arbitrary code injection.
Horizon3.ai researchers, who note that over 500 instances of Langflow are exposed on the Internet, emphasize:
"As a general rule, we recommend caution when exposing recently developed AI tools to the Internet. If you must expose it externally, consider placing it in an isolated VPC and/or behind SSO. A single deployment of these tools on a cloud instance is enough for a breach to be at hand."
To better understand
What does the Langflow tool use for its main chain and why is it popular in RAG projects?
Langflow uses LangChain as the engine for its platform, which is particularly suitable for RAG (retrieval-augmented generation) projects as it allows seamless integration of language models, APIs, and databases to create complex AI agents.
What is CISA's Known Exploited Vulnerabilities (KEV) catalog and what is its role?
CISA's KEV catalog is an official registry of security vulnerabilities that have been actively exploited. Its role is to centralize and highlight these critical flaws to inform and advise agencies and companies on the priority patches to implement in order to strengthen their cybersecurity.