feat(modules): Add detection module for CVE-2025-3248 (Langflow RCE)

[jess-tech-lab]

Proposed change

This PR introduces a new HTTP detection module for CVE-2025-3248, a critical RCE vulnerability in Langflow.

• Implemented a decorator-based execution strategy.
• Utilizes the id command and regex for uid= to ensure detection across different Linux distributions.

With a local instance of Langflow < 1.3.0 of a Vulhub Docker image, the new module detected the issue:

Closes #1388

Type of change

• New core framework functionality
• Bugfix (non-breaking change which fixes an issue)
• Code refactoring without any functionality changes
• New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I have digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test, I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• I've tested and verified that my code works as intended and resolves the issue as described
• I have attached screenshots demonstrating my code works as intended
• I've checked all other open PRs to avoid submitting duplicate work
• I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 50a08f57-7ac3-4b7c-ba03-50675333a0b7

📥 Commits

Reviewing files that changed from the base of the PR and between 05ecc01 and bf6eab2.

📒 Files selected for processing (1)

• docs/Modules.md

✅ Files skipped from review due to trivial changes (1)

• docs/Modules.md

---

Summary by CodeRabbit

• New Features

  • Added a vulnerability detection module for Langflow CVE-2025-3248 to identify affected Langflow instances (pre-1.3.0) and report potential remote code execution findings.

• Documentation

  • Added a corresponding documentation entry describing the new Langflow CVE-2025-3248 module, its output interpretation, and suggested remediation guidance.

Walkthrough

Added a new vulnerability module for Langflow CVE-2025-3248 (unauthenticated RCE) and a corresponding documentation entry. The module targets /api/v1/validate/code with a POST payload that uses a controlled Python exec to detect remote code execution via response content and status checks.

Changes

Cohort / File(s)	Summary
Documentation docs/Modules.md	Inserted a new module entry langflow_cve_2025_3248_vuln in the modules index describing the Langflow CVE-2025-3248 check.
Vulnerability Module nettacker/modules/vuln/langflow_cve_2025_3248.yaml	Added new YAML defining metadata, CVE/reference info, and a POST payload to /api/v1/validate/code that submits a Python exec-based payload to trigger a controlled exception; response validation includes allowed status codes (200, 422, 500) and a UID regex to confirm execution.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

new module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a detection module for CVE-2025-3248 (Langflow RCE vulnerability), which directly matches the changeset.
Description check	✅ Passed	The description thoroughly explains the proposed changes, rationale, testing approach, and directly links to issue #1388, all of which are relevant to the changeset.
Linked Issues check	✅ Passed	The PR fully implements the requirements from issue #1388: adds a detection module for CVE-2025-3248 with a decorator-based payload, uid regex matching, and appropriate HTTP status code handling.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the CVE-2025-3248 detection module as specified in issue #1388; documentation and module definition are appropriately aligned.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jess-tech-lab]

@arkid15r and @securestep9 - can you review? Thanks.