CVE-2025-3248: Serious vulnerability found in popular Python AI package
Researchers at Trend Micro have uncovered a critical unauthenticated remote code execution (RCE) vulnerability [CVE-2025-3248] affecting Langflow versions prior to 1.3.0. Langflow is a Python-based visual framework for building AI applications and boasts over 70,000 stars on GitHub and over 21,000 global weekly downloads from the public PyPI upstream.
Versions released before 1.3.0 contain a serious flaw in the code validation logic, which allows arbitrary code execution. Unauthenticated attackers can exploit this vulnerability by sending specially crafted POST requests to the /api/v1/validate/code endpoint.
Malicious payloads were found embedded within argument defaults and decorators of Python function definitions. Because Langflow lacks proper input validation and sandboxing in its code evaluation process, these payloads are compiled and executed directly within the server’s context, which results in full remote code execution.
On May 5, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-3248 to its Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed exploitation in the wild.
How to Quarantine Affected Langflow Packages using Cloudsmith EPM
Cloudsmith Enterprise Policy Management (EPM) is an OPA-based engine which enables quarantining of high-risk packages before developers create a dependency on them, and before they reach production environments. The Gist below includes a generic OPA Rego policy that flags packages with a CVSS score above 6, if they have a known fix available. This policy will detect vulnerable versions of Langflow, which have a CVSS score of 9.8. The vulnerability was addressed in version 1.3.0.
Langflow includes numerous dependencies (such as langchain, pydantic, and fastapi) which can significantly increase download times due to dependency resolution. For the purpose of this demo, we only need the raw package for scanning, so I used the --no-deps flag to avoid downloading unnecessary dependencies.
pip download langflow==1.2.0 --no-deps
The package was pushed to Cloudsmith with a custom tag referencing CVE-2025-3248. Note that it was synchronized and automatically quarantined based on the EPM policy we put in place.
cloudsmith push python acme-corporation/acme-repo-one langflow-1.2.0-py3-none-any.whl -k "$CLOUDSMITH_API_KEY" --tags CVE-20205-3248
In the Cloudsmith UI, you can see that the Langflow 1.2.0 package (containing the known vulnerability) was successfully quarantined right after it synced. Alongside the automatically generated package information view, the package also has an additional policy-violated tag applied by the EPM policy, indicating that it was quarantined due to a security policy violation.
By clicking into the identified vulnerability in the Cloudsmith UI, we can confirm that it correctly maps to CVE-2025-3248: a code injection flaw exploitable via the /api/v1/validate/code endpoint.
Understanding if you’re affected
If you’re already using centralized artifact management, then you’ll already know that versions of Langchain prior to 1.3.0 are vulnerable and therefore should not be used. According to Trend Micro, the attackers in this scenario likely initiated the attack by first gathering a list of IP addresses and ports of publicly exposed Langflow servers, potentially using tools like Shodan.
We could craft a similar GitHub Search query to detect publicly exposed Langflow servers by targeting typical indicators in configuration files, environment files, and code snippets. Langflow is typically launched via FastAPI and Gradio, often bound to a public IP like 0.0.0.0 with a known port like 7860 or 8501.
(langflow OR gradio OR fastapi) AND ("0.0.0.0" OR "host=0.0.0.0" OR ":7860" OR ":8501" OR ":8080") AND (path:*.py OR path:*.env OR path:*.yml OR path:*.sh)
This should return public Github configurations for Langflow or related servers listening on public interfaces and also Gradio apps being served publicly (which is fairly common in Langflow setups).
How is the vulnerability exploited?
The attacker uses a public proof-of-concept from GitHub to gain remote shell access to vulnerable systems. Once inside, they run various bash commands to gather system information and send the results to a command-and-control (C2) server.
Next, the attacker installs and runs the Flodrix Botnet on the compromised system. After connecting to the C2 server, the botnet can receive commands over TCP to launch distributed denial-of-service (DDoS) attacks. If the malware doesn’t receive the correct input, it deletes itself.
The vulnerability lies in the /api/v1/validate/code endpoint, which is meant to validate Python code. This endpoint lacks proper authentication and executes user-submitted code using Python's ast.parse(), compile(), and exec() functions. Attackers can craft malicious code that gets executed on the server when submitted, allowing them to remotely execute code without needing to log in.
Securing everything that comes from PyPI
CVE-2025-3248 highlights the power of auditing and securing everything that comes from public upstreams. When you use upstream proxying and caching, Cloudsmith fetches and caches open source packages (e.g. most dependencies), while you can also upload and use the packages you own to your artifact management repository. This is how customers use Cloudsmith as a first-class cache and a central source of truth for packages, to insulate their development teams from issues that would arise by downloading directly from public indexes like PyPI.
Liked this article? Don\'t be selfish (:-), share with others: Tweet