A critical remote code execution (RCE) vulnerability in Langflow, an open-source platform for building AI applications, is being actively exploited just hours after its public disclosure. The flaw demonstrates the shrinking window organizations have to apply security patches before threat actors weaponize a known issue.
The vulnerability, tracked as CVE-2024-28219, holds a CVSS score of 9.8 out of 10. It stems from an insecure deserialization process within the platform. An attacker can craft a malicious Langflow “flow”—a JSON file defining an application's workflow—and embed arbitrary Python code within it. When a user imports this file, the malicious code executes on the server hosting the Langflow instance.
Researchers at Trellix Advanced Research Center, who discovered the vulnerability, observed active exploitation attempts in the wild on March 20, the same day they published their findings and Langflow released a patch. Successful exploitation gives an attacker full control over the host system, enabling them to steal data, access sensitive credentials, or move laterally across the victim’s network.
This attack vector is distinct from prompt injection attacks that manipulate an AI model’s output. CVE-2024-28219 is a more severe code injection flaw that compromises the underlying infrastructure directly.
Administrators of Langflow are urged to upgrade all instances to version 0.6.1 or later immediately. The Langflow project released the patched version to address the vulnerability. As a general security measure, users should avoid importing flows from untrusted or unverified sources.
