Critical Langflow RCE flaw exploited to hack AI app servers

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has tagged a Langflow remote code execution vulnerability as actively exploited, urging organizations to apply security updates and mitigations as soon as possible. The vulnerability is tracked as CVE-2025-3248 and is a critical unauthenticated RCE flaw that allows any attacker on the internet to take full control of vulnerable Langflow servers by exploiting an API endpoint flaw. Langflow is an open-source visual programming tool for building LLM-powered workflows using LangChain components. It provides a drag-and-drop interface to create, test, and deploy AI agents or pipelines without writing full backend code. The tool, which has nearly 60k stars and 6.3k forks on GitHub, is used by AI developers, researchers, and startups, for prototyping chatbots, data pipelines, agent systems, and AI applications. Langflow exposes an endpoint (/api/v1/validate/code) designed to validate user-submitted code. In vulnerable versions, ... Read full article.