CVE-2025-3248: Langflow Validate Code Endpoint Missing Auth
FastAPI route handler invokes validate_code() (which internally compiles and execs attacker-supplied Python source) without an authentication dependency declared in the route decorator. Because Python evaluates function-definition decorators and default-argument expressions at the moment exec() processes the definition, an unauthenticated attacker can embed
greprules fetch cve-2025-3248-langflow-validate-code-endpoint-missing-auth --engine opengrepDescription
FastAPI route handler invokes validate_code() (which internally compiles and execs attacker-supplied Python source) without an authentication dependency declared in the route decorator. Because Python evaluates function-definition decorators and default-argument expressions at the moment exec() processes the definition, an unauthenticated attacker can embed
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.