{"data":{"id":"ab9ba187-619a-49b9-8037-afb336f16870","title":"CVE-2025-3248: Langflow versions prior to 1.3.0 are susceptible to code injection in \nthe /api/v1/validate/code endpoint. A remote and ","summary":"Langflow versions before 1.3.0 have a code injection vulnerability (a flaw where attackers can insert and run malicious code) in the /api/v1/validate/code endpoint that allows unauthenticated attackers (those without login credentials) to execute arbitrary code by sending specially crafted HTTP requests (formatted messages to the server). This vulnerability is actively being exploited in the wild.","solution":"Update Langflow to version 1.3.0 or later, as referenced in the official release notes at https://github.com/langflow-ai/langflow/releases/tag/1.3.0. If mitigations are unavailable, discontinue use of the product.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-3248","publishedAt":"2025-04-07T19:15:44.897Z","cveId":"CVE-2025-3248","cweIds":["CWE-306","CWE-94","CWE-306"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":[],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Langflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"active","epssScore":0.9208,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-115","CAPEC-242"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}