The Cybersecurity and Infrastructure Security Agency (CISA) on May 5 added a critical 9.8 Langflow vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.Security pros considered the flaw (CVE-2025-3248) significant because Langflow has grown popular among developers — nearly 60,000 users on GitHub — and is now considered one of the leading tools for building and maintaining agentic AI workflows. “Attackers have already exploited this flaw, deploying reverse shells and crypto-miners,” said Saeed Abbasi, manager of vulnerability research at the Qualys Threat Research Unit. “Even on isolated development VMs, a breached Langflow instance can serve as a launchpad for infiltrating corporate networks. This flaw transforms a single point of failure into a silent amplifier of chaos.”Abbasi explained that an unauthenticated RCE bug in Langflow lets attackers seize complete server control without credentials or user interaction, exposing sensitive data like OpenAI/Anthropic API keys, vector database credentials, proprietary embeddings, and CI/CD tokens. Abbasi said compromised instances can trigger supply chain attacks by injecting malicious prompts or exfiltrating user inputs, endangering all downstream users of dependent services.Nic Adams, co-founder and CEO of 0rcus, added that an attacker can achieve full system compromise, access memory, exfiltrate credentials or vector stores, implant persistent malicious logic into agent flows, or hijack AI behavior to manipulate outputs.“It poses systemic risk to the AI supply chain, undermining the integrity of any application built on a compromised Langflow instance,” said Adams. “Patch immediately to the latest version, and never expose Langflow directly to the internet.”Chris Gray, Field CTO at Deepwatch, added that this is not a minor issue given the levels of access to AI tools and platforms that these compromised systems would offer to attackers. “Beyond this, there are the normal concerns around account compromises leading to lateral movement and exploitation,” said Gray. “At RSAC this year, one of the single biggest themes was how identity is the new frontier being targeted, and a compromise based on vulnerabilities such as this one provides immediate benefits to malicious users.”
AI/ML, Vulnerability Management, Patch/Configuration Management
Critical 9.8 Langflow RCE bug added to CISA vulnerability list
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds