The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has tagged a Langflow remote code execution vulnerability as actively exploited, urging organizations to apply security updates and mitigations as soon as possible.

The vulnerability is tracked as CVE-2025-3248 and is a critical unauthenticated RCE flaw that allows any attacker on the internet to take full control of vulnerable Langflow servers by exploiting an API endpoint flaw.

Langflow is an open-source visual programming tool for building LLM-powered workflows using LangChain components. It provides a drag-and-drop interface to create, test, and deploy AI agents or pipelines without writing full backend code.

The tool, which has nearly 60k stars and 6.3k forks on GitHub, is used by AI developers, researchers, and startups, for prototyping chatbots, data pipelines, agent systems, and AI applications.

Langflow exposes an endpoint (/api/v1/validate/code) designed to validate user-submitted code. In vulnerable versions, this endpoint does not safely sandbox or sanitize the input, allowing an attacker to send malicious code to that endpoint and have it executed directly on the server.

CVE-2025-3248 was fixed in version 1.3.0, released on April 1, 2025, so it’s recommended to upgrade to that version or later to mitigate the risks that arise from the flaw.

The patch was minimal, just adding authentication for the vulnerable endpoint, involving no sandboxing or hardening.

The latest Langflow version, 1.4.0, was released earlier today and contains a long list of fixes, so users should upgrade to this release.

Horizon3 researchers published an in-depth technical blog about the flaw on April 9, 2025, including a proof-of-concept exploit.

The researchers warned about the high likelihood of exploitation for CVE-2025-3248, identifying at least 500 internet-exposed instances at the time.

Those who cannot upgrade to a safe version immediately are recommended to restrict network access to Langflow by putting it behind a firewall, authenticated reverse proxy, or VPN. Also, direct internet exposure is discouraged.

CISA has given federal agencies until May 26, 2025, to apply the security update or mitigations or stop using the software.

CISA has not provided any specific details about the observed exploitation activity and has stated that it is currently unknown whether ransomware groups are exploiting the vulnerability.

For users of Langflow, it’s important to bear in mind Horizon3’s remarks about the tool’s design, which, according to them, has poor privilege separation, no sandbox, and a history of RCEs “by design” stemming from its nature and intended functionality.

CVE-2025-3248 is the first truly unauthenticated RCE flaw in Langflow, and given its active exploitation status, immediate action is required.