VDB
GHSA-c995-4fw3-j39m
GHSA-c995-4fw3-j39m
REJECTED
CVSS 9.800000190734863 CRITICAL
Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | langflow | 0 |
Exploit Intelligence
- Verified vulnerability journey for CVE-2025-8110 (Gogs) and CVE-2025-3248 (Langflow) — risk triage, exploitability verification, verified patches. (github-poc-repo)
- Verified vulnerability journey for CVE-2025-8110 (Gogs) and CVE-2025-3248 (Langflow) — risk triage, exploitability verification, verified patches. (github-poc-repo)
- Verified vulnerability journey for CVE-2025-8110 (Gogs) and CVE-2025-3248 (Langflow) — risk triage, exploitability verification, verified patches. (github-poc-repo)
- Verified vulnerability journey for CVE-2025-8110 (Gogs) and CVE-2025-3248 (Langflow) — risk triage, exploitability verification, verified patches. (github-poc-repo)
- Verified vulnerability journey for CVE-2025-8110 (Gogs) and CVE-2025-3248 (Langflow) — risk triage, exploitability verification, verified patches. (github-poc-repo)
- Verified vulnerability journey for CVE-2025-8110 (Gogs) and CVE-2025-3248 (Langflow) — risk triage, exploitability verification, verified patches. (github-poc-repo)
- PoC for achieving RCE in Langflow versions <1.3.0 (github-poc-repo)
- PoC for achieving RCE in Langflow versions <1.3.0 (github-poc-repo)
- PoC for achieving RCE in Langflow versions <1.3.0 (github-poc-repo)
- PoC for achieving RCE in Langflow versions <1.3.0 (github-poc-repo)
…and 260 more exploits
Timeline
- CVE Published
- Jun 28, 2025 PoC Published
- Mar 2, 2026 Security Advisory
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-3248 advisory
- https://github.com/langflow-ai/langflow/pull/6911 url
- https://github.com/langflow-ai/langflow package
- https://github.com/langflow-ai/langflow/releases/tag/1.3.0 url
- https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai url