CVE-2025-3248 - Langflow validate/code unauthenticated RCE
Langflow versions before 1.3.0 expose a critical code-injection path in the
/api/v1/validate/code endpoint. The vulnerable endpoint is reachable by a
remote unauthenticated caller and can execute attacker-controlled Python code in
the Langflow process context.
For Langflow deployments, the security boundary is not just package resolution. The endpoint exists to validate custom component code, so the mergeable fix must prove that validation is only reachable by an authenticated and authorized user, that public ingress cannot reach the route during rollout, and that tests do not prove exposure by running exploit code. CISA added CVE-2025-3248 to the Known Exploited Vulnerabilities catalog, so exposed systems should also review logs and rotate reachable secrets after patching.
When to use it
- A repository deploys, builds, pins, vendors, or documents Langflow before
1.3.0. - Langflow is exposed through reverse proxies, gateways, Kubernetes ingress, tunnels, devcontainers, shared workbenches, or hosted notebooks.
- Custom component authoring, playground, code-validation, or workflow editing
features can reach
/api/v1/validate/code. - You need a bounded PR or triage note that upgrades Langflow and proves code validation requires authentication and authorization before execution sinks.
Inputs
- Python dependency files, lockfiles, Dockerfiles, compose/Helm/K8s/Terraform manifests, gateway/proxy config, environment templates, SBOMs, deployment renders, and runbooks.
- Langflow version evidence, validation route ownership, auth dependencies, role model, ingress exposure, runtime isolation, logs, and credential rotation owners.
- Available dependency install, API auth tests, gateway policy tests, container build, deployment render, SBOM, and dependency/security scan commands.
Affected versions
- Vulnerable:
langflow <1.3.0 - Fixed:
langflow 1.3.0+ - Affected endpoint:
POST /api/v1/validate/code - Weaknesses: missing authentication for a critical function and improper control of code generation/execution.
- CISA KEV: yes; added 2025-05-05 with required action due 2025-05-26.
Indicator-of-exposure
- The repository deploys, builds, vendors, pins, or documents Langflow
<1.3.0. - A reverse proxy, load balancer, API gateway, Kubernetes ingress, Codespace, tunnel, shared workbench, or developer container exposes Langflow beyond a single trusted local user.
- Custom component authoring, code validation, playground, API, or workflow editing features are enabled.
- Public or unauthenticated traffic can reach
/api/v1/validate/codeor a wrapper route that forwards to it. - The Langflow process can reach model provider keys, database credentials, flow secrets, package tokens, cloud metadata, mounted source code, internal services, or writable deployment storage.
Quick checks:
rg -n "langflow|LANGFLOW|/api/v1/validate/code|validate/code|validate_code|custom component|component code|playground|ingress|traefik|nginx|gateway" .
python -m pip show langflow
python -m pip freeze | rg -i "^langflow=="
docker images | rg -i "langflow"
Windows:
rg -n "langflow|LANGFLOW|/api/v1/validate/code|validate/code|validate_code|custom component|component code|playground|ingress|traefik|nginx|gateway" .
python -m pip show langflow
python -m pip freeze | rg -i "^langflow=="
docker images | rg -i "langflow"
Do not validate exposure by sending code payloads, running shell commands, reading files, printing environment variables, or touching real flows.
Remediation strategy
- Upgrade every controlled Langflow dependency, lockfile, image, Helm chart,
compose service, deployment manifest, SBOM, and runbook to
langflow 1.3.0+. - Block unauthenticated access to
/api/v1/validate/codeat the application and gateway layers. If rollout is not atomic, temporarily deny the route at the edge until all runtimes are patched. - Require an authenticated current user and an explicit trusted component-author or administrator permission before accepting custom component code for validation.
- Add regression tests that assert unauthenticated and low-privilege requests to the validation route fail before any code-validation or execution helper is invoked.
- Isolate Langflow with least privilege: remove cloud metadata reachability, avoid host mounts and Docker socket access, restrict egress, and keep secrets out of logs.
- Review application, gateway, process, and audit logs for unexpected
validate/codetraffic. Rotate Langflow, model provider, database, package, cloud, and workflow credentials when the endpoint was reachable by untrusted callers.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2025-3248, a critical Langflow unauthenticated code
injection vulnerability in the `/api/v1/validate/code` endpoint before
Langflow 1.3.0. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Langflow, blocks
unauthenticated validation access, adds safe regression coverage, refreshes
generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not own an affected Langflow runtime or
cannot make a safe change.
## Rules
- Scope only CVE-2025-3248 and directly related Langflow code-validation,
authentication, authorization, ingress, runtime isolation, and credential
cleanup.
- Treat Langflow flows, component code, prompts, model provider keys, database
credentials, package tokens, cloud credentials, source checkouts, uploaded
files, internal URLs, and logs as sensitive.
- Do not prove exposure by executing code payloads, spawning shells, reading
local files, dumping environment variables, beaconing to external services,
or touching production flows.
- Do not leave `/api/v1/validate/code` reachable to unauthenticated users as a
default path.
- Do not rely on UI hiding, prompt instructions, scanner suppression, or
network location as the only security control.
- Do not auto-merge.
## Steps
1. Inventory every Langflow runtime controlled by this repository:
`pyproject.toml`, `requirements*.txt`, lockfiles, Dockerfiles, compose
files, Helm charts, Kubernetes manifests, Terraform, gateway/proxy config,
environment templates, CI images, SBOMs, generated deployment output, and
runbooks.
2. Determine every resolved Langflow version. A target is vulnerable if it
resolves to `langflow <1.3.0` or an owned fork that exposes
`/api/v1/validate/code` before authenticating the current user.
3. Search for code-validation and exposure surfaces:
- `/api/v1/validate/code`, `validate_code`, custom component validation, and
playground/API routes;
- route dependencies that load the current user or enforce permissions;
- reverse-proxy, ingress, tunnel, Codespace, devcontainer, and shared
workbench access to Langflow;
- logs or analytics that may capture component code or validation errors.
4. If this repository does not deploy or package Langflow, stop with
`TRIAGE.md` listing files checked, runtime owner if known, observed version
evidence, and required fixed version `langflow 1.3.0+`.
5. Upgrade every controlled Langflow package and image to `1.3.0+`.
Regenerate lockfiles, image digests, SBOMs, deployment render output,
dependency reports, and documentation as this repository normally does.
6. Add containment for non-atomic rollouts:
- deny `/api/v1/validate/code` at the gateway or reverse proxy until patched;
- restrict Langflow to authenticated networks or single-user loopback where
applicable;
- disable custom component/code-validation features for untrusted users;
- fail closed if the Langflow version or auth state cannot be determined.
7. Where this repository controls Langflow product code or local patches,
enforce authentication and authorization before code validation:
- require a current authenticated user before parsing or validating supplied
code;
- require administrator or trusted component-author permission for custom
component validation;
- ensure denied requests return before validation helpers, imports, exec-like
paths, subprocesses, or dynamic loading are reached;
- keep component code, tracebacks, environment values, and secrets out of
logs and HTTP responses.
8. Add safe regression tests:
- missing authentication gets `401` or `403`;
- a low-privilege authenticated user cannot validate custom component code;
- the denied path does not call the validation/execution helper;
- the intended trusted role still works without logging submitted code;
- gateway/rendered deployment config denies public unauthenticated access
during rollout;
- dependency policy rejects `langflow <1.3.0`.
9. Harden runtime exposure where this repository controls deployment:
- remove Docker socket and broad host mounts from Langflow containers;
- run with a least-privilege service identity and read-only filesystem where
practical;
- block cloud metadata access and unnecessary outbound egress;
- keep provider keys, database credentials, package tokens, and flow secrets
out of environment snapshots, logs, and screenshots.
10. Add a PR body section named `CVE-2025-3248 operator actions` that states:
- Langflow versions before and after;
- whether `/api/v1/validate/code` was reachable beyond loopback or trusted
networks;
- whether unauthenticated callers could reach the route before the patch;
- whether custom component/code-validation features are enabled and for
which roles;
- which logs were reviewed for validation-route traffic;
- which Langflow, model provider, database, package, cloud, and workflow
credentials should be rotated or why rotation is not required;
- any temporary edge block that must remain until deployment completes.
11. Run relevant validation: dependency install, lockfile integrity, unit/API
auth tests, gateway policy tests, container build, deployment render,
SBOM refresh, dependency/security scans, and a non-exploit local smoke test
that proves denial without executing submitted code.
12. Use PR title:
`fix(sec): remediate CVE-2025-3248 in Langflow`.
## Stop conditions
- No affected Langflow runtime is controlled by this repository.
- Langflow is present only in prose or externally owned infrastructure; document
owner, version evidence, exposure, and required fixed version in `TRIAGE.md`.
- A fixed Langflow version cannot be consumed without a broader migration and
the repository cannot safely block the route at the edge.
- Product requirements intentionally expose unauthenticated code validation;
document the risk and require a product/security decision.
- Meaningful verification would require executing attacker-controlled code,
accessing production flows, or exposing secrets.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled dependency, image, SBOM, deployment target, or runbook resolves
Langflow
<1.3.0. /api/v1/validate/coderequires authentication before any code-validation helper, dynamic import, exec-like path, or subprocess sink is reachable.- Non-admin or untrusted users cannot validate custom component code unless the product has an explicit reviewed role for that capability.
- Gateway or reverse-proxy containment is present when patched runtimes cannot roll out atomically.
- Tests prove denied requests do not execute submitted code and do not log component source or secrets.
- Operator notes cover KEV urgency, log review, credential rotation, and any temporary edge block.
Output contract
- Reviewer-ready PR upgrading Langflow to
1.3.0+across dependencies, images, manifests, generated artifacts, SBOMs, and docs. - Authn/authz enforced before
/api/v1/validate/codereaches validation, dynamic import, exec-like helpers, subprocesses, or code-loading sinks. - Safe regression tests proving unauthenticated and low-privilege requests are denied without executing submitted code or logging component source/secrets.
TRIAGE.mdwhen Langflow runtime, ingress, rollout, or credential cleanup ownership is outside this repository.
Watch for
- Updating one
requirements.txtwhile a Docker image, Helm values file, compose service, CI image, or managed platform still runs an older Langflow. - Fixing the browser UI while leaving the API route or an internal wrapper unauthenticated.
- Testing with live exploit payloads, production flows, real provider keys, or environment dumps.
- Logging submitted component code, tracebacks with secrets, or authorization bearer tokens while adding tests.
- Treating a private network as sufficient protection for shared developer workbenches, hosted notebooks, remote IDEs, or exposed preview deployments.
Related recipes
- CVE-2025-12735 expr-eval context function RCE
- CVE-2026-5760 SGLang GGUF template RCE
- CVE intelligence intake gate
References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3248
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248
- Langflow 1.3.0 release: https://github.com/langflow-ai/langflow/releases/tag/1.3.0
- Fix PR: https://github.com/langflow-ai/langflow/pull/6911
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-3248