Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence

The Hacker News by The Hacker News
May 6, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


May 06, 2025Ravie LakshmananCybersecurity / Vulnerability

A recently disclosed critical security flaw impacting the open-source Langflow platform has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing evidence of active exploitation.

The vulnerability, tracked as CVE-2025-3248, carries a CVSS score of 9.8 out of a maximum of 10.0.

“Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests,” CISA said.

Cybersecurity

Specifically, the endpoint has been found to improperly invoke Python’s built-in exec() function on user-supplied code without adequate authentication or sandboxing, thereby allowing attackers to execute arbitrary commands on the server.

The shortcoming, which affects most versions of the popular tool, has been addressed in version 1.3.0 released on March 31, 2025. Horizon3.ai has been credited with discovering and reporting the flaw in February.

Critical Langflow Flaw

According to the company, the vulnerability is “easily exploitable” and allows unauthenticated remote attackers to take control of Langflow servers. A proof-of-concept (PoC) exploit has since been made publicly available as of April 9, 2025, by other researchers.

Cybersecurity

Data from attack surface management platform Censys shows that there are 466 internet-exposed Langflow instances, with a majority of them concentrated in the United States, Germany, Singapore, India, and China.

It’s currently not known how the vulnerability is being abused in real-world attacks, by whom, and for what purpose. Federal Civilian Executive Branch (FCEB) agencies have time until May 26, 2025, to apply the fixes.

“CVE-2025-3248 highlights the risks of executing dynamic code without secure authentication and sandboxing measures,” Zscaler noted last month. “This vulnerability serves as a critical reminder for organizations to approach code-validation features with caution, particularly in applications exposed to the internet.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Interview: Joe Depa, global chief innovation officer, EY | Computer Weekly

Interview: Joe Depa, global chief innovation officer, EY | Computer Weekly

Recommended.

MPs call for UK government to back sovereign IT | Computer Weekly

MPs call for UK government to back sovereign IT | Computer Weekly

June 16, 2026
New Survey Reveals Tech-savvy Tennessee Pet Owners Monitor Their Pet’s Wellness Digitally–Ranking No. 1 in U.s.–but Majority Are Skipping an Important Preventive Care Habit at Home

New Survey Reveals Tech-savvy Tennessee Pet Owners Monitor Their Pet’s Wellness Digitally–Ranking No. 1 in U.s.–but Majority Are Skipping an Important Preventive Care Habit at Home

June 20, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
Anthropic’s 5 Huge Hires From OpenAI, Google, Microsoft And xAI In 2026

Anthropic’s 5 Huge Hires From OpenAI, Google, Microsoft And xAI In 2026

July 7, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio