Critical flaw in AI agent dev tool Langflow under active exploitation

The US Cybersecurity and Infrastructure Security Agency (CISA) has evidence that a critical flaw fixed last month in Langflow is now being exploited the wild. The vulnerability, which can be exploited without authentication to remotely execute arbitrary code on servers was added to CISA’s known exploited vulnerabilities (KEV) catalog, signaling to government agencies and private organizations alike that it should be patched immediately.

Langflow is an open-source tool written in Python that enables users to build and deploy AI agents through a visual interface as well as an API server. In the age of agentic AI when many companies are looking to leverage large language models (LLMs) to automate internal workflows, Langflow has become very popular, with almost 60K stars on GitHub.

By its nature, Langflow allows authenticated users to execute arbitrary code. When building agents via Langflow’s visual components, users freely modify the underlying Python code. But the CVE-2025-3248 vulnerability found by researchers from Horizon3.ai gives the same power to unauthenticated users, a problem compounded by the fact that there are more than 500 Langflow instances exposed to the internet and many more accessible through internal networks.

Missing authentication on dangerous API endpoint

The flaw is rather straightforward and stems from the fact that one API endpoint called /api/v1/validate/code had missing authentication checks and passed code to the Python exec function. However, it didn’t run exec directly on functions, but on function definitions, which make functions available for execution but don’t execute their code.

Because of this, the Horizon3.ai researchers had to come up with an alternative exploitation method leveraging a Python feature called decorators, which “are functions that return functions that wrap other functions.”

The proof-of-concept published by Horizon3.ai on April 9 leverages decorators to achieve remote code execution, but the researchers note that a third-party researcher also achieved the same by abusing another feature of Python functions called default arguments.

Since then, an exploit for this vulnerability has also been added to Metasploit, a popular penetration testing framework, so it’s not surprising that attackers have already started exploiting this flaw in attacks.

Remediation

Langflow users are advised to immediately upgrade deployments to version 1.3.0 released April 1, which includes the patch, or to the latest version, 14.0, which has additional fixes.

The Horizon3.ai researchers point out that any Langflow user can already escalate their privileges to superuser because they can execute code on the server by design. As such, any stolen or weak Langlow user credentials can pose a significant risk.

“As a general practice we recommend caution when exposing any recently developed AI tools to the Internet,” the researchers said. “If you must expose it externally, consider putting it in an isolated VPC and/or behind SSO. It only takes one errant/shadow IT deployment of these tools on some cloud instance to have a breach on your hands.”