CVE-2025-3248: When Validation Becomes Exploitation in Langflow

With the rapid growth of LLM ecosystem, new frameworks and orchestration tools are emerging to simplify development and accelerate innovation. However, alongside prompt injection attacks, fundamental and traditional security risks remain a serious threat to LLM-based applications.

A critical vulnerability was recently disclosed in Langflow, assigned CVE-2025-3248, which allows unauthenticated remote code execution due to unsafe code validation logic. Langflow is an open-source visual programming tool that enables developers to design, build, and orchestrate complex LLM workflows through an intuitive drag-and-drop interface. It simplifies building applications on top of language models without requiring extensive coding. With over 79k stars on GitHub, Langflow has gained significant traction in the developer community, highlighting its widespread adoption.

The CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog due to observed active exploitation. It has been assigned a high CVSS v3 base score of 9.8 due to its criticality and ease of exploitation. A detailed technical analysis has been published by Horizon3.ai.

Vulnerability Summary

The vulnerability affects Langflow versions prior to 1.3.0, where unsafe code validation process was exposed via the unauthenticated API endpoint /api/v1/validate/code. This endpoint accepts user-supplied Python code and processes it for validation by parsing, compiling, and executing the code without enforcing any authentication or authorization checks.

Internally, Langflow parses the submitted code into an abstract syntax tree (AST) using Python’s ast.parse(), compiles it and executes it via exec(). This entire chain is executed before verifying the identity or privileges of the requester.

The vulnerability becomes especially dangerous due to Python’s handling of decorators, where decorator expressions are evaluated at parse time. Attackers can embed malicious payloads inside decorators, triggering code execution as soon as the code is parsed, without ever invoking the decorated function. This allows unauthenticated attackers to execute arbitrary commands on the server.

Patch diff analysis reveals that the vulnerable code path lacked authentication checks prior to processing user-submitted code. The fix introduced proper authorization logic to ensure only authenticated users can access the code validation API.

Figure 1: Patch Diff Showing Authorization Check Added

A screenshot of a computer AI-generated content may be incorrect. Figure 2: Unit test ensuring unauthorized access to code validation is blocked

Understanding Python Decorators & Their Role in This Attack

In Python, decorators are functions or callables that modify the behaviour of other functions or classes. They are commonly used for features like logging, authentication, or caching, allowing developers to add functionality without altering the core logic.

What’s crucial for this attack is understanding when decorators are evaluated. In Python, decorators are not executed when the function is called, but rather at the moment the function is defined — during the parsing and execution of the module itself.

Figure 3: Decorator Example

In this case, Python immediately prints Decorator executed as soon as it parses this code, regardless of whether foo() is ever called. This characteristic makes decorators a very attractive target for attackers, especially in systems that parse and execute untrusted code.

In Langflow, this behavior became dangerous because user-submitted code is passed through Python's ast.parse , which takes raw Python code and converts it into an AST (Abstract Syntax Tree), and then compiled and executed directly using Python's exec() function. The following code snippet shows how they try to validate user-submitted Python code:
A screenshot of a computer program AI-generated content may be incorrect. Figure 4: Unsafe Code Evaluation Logic in Langflow

This allowed attackers to embed payloads directly inside decorators, ensuring their code would execute immediately upon parsing. An attacker could submit a payload like:

Figure 5: Sample Code Execution using Decorators

As the server parses this code, Python immediately evaluates the decorator expression exec("os.system('touch /tmp/poc')"), which leads to execution of the system command and creates a file on the server, all without ever calling the foo() function.

Since exec() returns None, applying the decorator results in a TypeError (because Python attempts to call None(foo)), but this occurs after the payload has already executed. Langflow captures these exceptions and includes them in the errors field of its JSON response. If the executed command produces output, it may appear in the error message, allowing attackers to both execute commands and exfiltrate output via the API response.

Reproducing The Attack

Environment Setup

For this demonstration, we recreated the vulnerable environment using Docker, we have installed Langflow version 1.2.0: A close up of a number AI-generated content may be incorrect.

Figure 6: Setting Up Vulnerable Langflow Environment Using Docker

Once the container is up and running, the deployment can be verified by accessing the web interface at:
http://127.0.0.1:7860/
At this point, the vulnerable API endpoint /api/v1/validate/code is exposed and ready for testing.

Crafting The Exploit Payload

Let’s walk through a few payload variations that successfully exploit the vulnerability:

Decorator-based Payload

To demonstrate the exploit in action, we crafted a payload that leverages Python's decorator evaluation behavior to execute arbitrary system commands during parsing. Using a simple curl request, we submitted code that invokes os.system() to create a file /tmp/test on the server. The server responded with a JSON error message indicating a NoneType issue, which is expected due to the decorator returning None. However, this error occurs after the payload has already been executed during parsing. To verify successful exploitation, we inspected the running Docker container and confirmed the creation of the file by listing the contents of /tmp, where the file test was successfully created. This demonstrates how easily unauthenticated attackers could execute arbitrary commands on vulnerable Langflow instances.

A screen shot of a computer AI-generated content may be incorrect.

Figure 7: Payload using decorator with os module

Alternatively, the attacker can use Python’s subprocess module to both execute system commands and capture their output. In this payload, the subprocess.check_output("id") command is executed at parse time, and its output is embedded inside the server’s JSON response, making it possible to not only execute commands but also retrieve command results directly via the API response.

A computer screen with text AI-generated content may be incorrect.

Figure 8: Payload using decorator with subprocess module

Function Default Argument based Payload

In this variation, the malicious code is embedded inside the default value of a function argument. Similar to decorators, Python evaluates default argument expressions at function definition time, which in this context happens during parsing and compilation, even before the function is ever called. This technique provides another vector for achieving code execution during the parsing stage. The payload shown below executes the id command to demonstrate successful code execution.

A computer screen with text on it AI-generated content may be incorrect.

Figure 9: Payload using function default argument

Figure 10: Packet capture showing payload executing cat /etc/passwd

Conclusion

The Langflow vulnerability serves as a strong reminder that traditional security challenges remain highly relevant across emerging AI and LLM platforms. As these ecosystems evolve and introduce new levels of flexibility through dynamic code execution and extensibility, they simultaneously expand the attack surface when proper security controls are not enforced. Features like decorator evaluation and default argument parsing in Python, while powerful, can become dangerous when combined with unsafe code execution patterns.

To mitigate these risks, developers building AI infrastructure must apply robust security practices, including strict authentication, input validation, sandboxing, and minimal privilege, especially when processing user-supplied code. Addressing such issues early in the development lifecycle will be critical for ensuring the secure growth of LLM-powered applications.

CVE-2025-3248 Strike in BreakingPoint

At Keysight Technologies, our Application and Threat Intelligence (ATI) team has analyzed the attack traffic pattern of Langflow Code Validation Missing Authentication Vulnerability (CVE-2025-3248) and added a new 1-arm verified Strike in ATI-2025-09 StrikePack.

Figure 11: Langflow Code Validation Missing Authentication Strike in BPS

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control's ability to detect or block such attacks.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3248

https://horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/

https://github.com/langflow-ai/langflow

https://github.com/langflow-ai/langflow/pull/6911/files

limit
3