来源

关联漏洞

描述

Exploit for Langflow AI Remote Code Execution (Unauthenticated)

介绍

# CVE-2025-3248 — Langflow AI Remote Code Execution (Unauthenticated)

**Author:** 0xgh057r3c0n
---

## Description

This exploit targets a critical unauthenticated RCE vulnerability (CVE-2025-3248) in Langflow AI. The vulnerability allows an attacker to execute arbitrary system commands on the target server via the `/api/v1/validate/code` endpoint.

This proof-of-concept (PoC) tool provides an interactive shell for testing and demonstrating the issue.

---

## Prerequisites

* Python 3.8 or newer
* `pip3` for installing dependencies

---

## Installation

### 1. Clone the Repository

```bash
git clone https://github.com/yourusername/CVE-2025-3248.git
cd CVE-2025-3248
```

### 2. Install Python Dependencies

```bash
pip3 install -r requirements.txt
```

---

## Usage

```bash
python3 CVE-2025-3248.py -u http://TARGET_HOST:PORT
```

### Example

```bash
python3 CVE-2025-3248.py -u http://127.0.0.1:7860
```

You will be presented with an interactive shell:

```
0xgh057r3c0n@root💀$ whoami
langflow

0xgh057r3c0n@root💀$ uname -a
Linux ubuntu 5.15.0-89-generic #99~20.04.1-Ubuntu SMP ...
```

* To exit: type `exit` or `quit`
* Supports typical Linux/Unix shell commands

---

## Notes

* SSL verification is disabled (useful for testing self-signed certificates)
* This PoC is for educational and authorized testing purposes only

---

## License

This project is licensed under the MIT License — see the [LICENSE](LICENSE) file for details.

---

## Disclaimer

This software is provided for educational and research purposes only.
The author assumes no liability for any misuse of this code.
Use only on systems you own or have explicit permission to test.

文件快照

 [4.0K]  /data/pocs/666c8b998b1e8c725a4e7aad7f5b3414773afd43
├── [3.5K]  CVE-2025-3248.py
├── [1.1K]  LICENSE
├── [1.6K]  README.md
└── [  18]  requirements.txt

0 directories, 4 files

备注