CVE-2025-3248
EUVD-2025-1001107.04.2025, 15:15
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| langflow | langflow | 𝑥 < 1.3.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-306 - Missing Authentication for Critical FunctionThe product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Vulnerability Media Exposure
References