From 5ab262fe50978368ddfeb3f6b0dc92844593ec04 Mon Sep 17 00:00:00 2001
From: Goby <50955360+gobysec@users.noreply.github.com>
Date: Wed, 9 Apr 2025 20:18:25 +0800
Subject: [PATCH] Create Langflow Code Execution Vulnerability
 (CVE-2025-3248).md

---
 ...Code Execution Vulnerability (CVE-2025-3248).md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 Langflow Code Execution Vulnerability (CVE-2025-3248).md

diff --git a/Langflow Code Execution Vulnerability (CVE-2025-3248).md b/Langflow Code Execution Vulnerability (CVE-2025-3248).md
new file mode 100644
index 0000000..0b60958
--- /dev/null
+++ b/Langflow Code Execution Vulnerability (CVE-2025-3248).md	
@@ -0,0 +1,14 @@
+**Updated document date:  April 9, 2025** 
+
+## 	Langflow /api/v1/validate/code Code Execution Vulnerability (CVE-2025-3248)
+|   **Vulnerability**  | 	Langflow /api/v1/validate/code Code Execution Vulnerability (CVE-2025-3248)|
+| :----:   | :-----|
+|  **Chinese name**  |	Langflow /api/v1/validate/code 代码执行漏洞（CVE-2025-3248） |
+| **CVSS core**  | 		7.80 |
+| **FOFA Query**  (click to view the results directly)|  [product="LOGSPACE-LangFlow"]
+| **Number of assets affected**  | 2448 |
+| **Description**  |LangFlow is a low-code visual AI application development tool based on Python, focusing on the development of Multi-Agent AI, Prompt Engineering, and Retrieval-Augmented Generation (RAG) applications. Versions prior to 1.3.0 are vulnerable to code injection in the /api/v1/validate/code endpoint. Remote and unauthenticated attackers can send crafted HTTP requests to execute arbitrary code.|
+| **Impact** | Versions prior to 1.3.0 are vulnerable to code injection in the /api/v1/validate/code endpoint. Remote and unauthenticated attackers can send crafted HTTP requests to execute arbitrary code, potentially leading to full server control.|
+| **Affected versions** | <1.3.0
+
+![](https://s3.bmp.ovh/imgs/2025/04/09/01613b486fcc5f6e.gif)