Skip to main content

Flowise CVE-2025-34267

HIGH
Command Injection (CWE-77)
2025-10-14 disclosure@vulncheck.com
8.4
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network-reachable tool execution needs an authenticated privileged account (PR:H) but no interaction; sandbox escape to host is a scope change (S:C) with full host code execution (C/I/A:H).

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 14, 2026 - 23:30 vuln.today
Analysis Generated
Jul 14, 2026 - 23:30 vuln.today
CVE Published
Oct 14, 2025 - 20:15 cve.org
HIGH 8.4

DescriptionCVE.org

Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host. This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 by the developers and should be considered distinct from that identifier.

AnalysisAI

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when 'ALLOW_BUILTIN_DEP' is enabled) lets a logged-in user break out of the nodevm sandbox by abusing the bundled Puppeteer and Playwright modules. Because a custom tool can specify an attacker-controlled browser binary path and launch parameters, executing that tool runs an arbitrary executable on the host outside the intended sandbox, yielding code execution in the host context. Publicly available exploit code exists; the flaw is not listed in CISA KEV, and it was mis-filed by the vendor as a duplicate of CVE-2025-26319 but is distinct.

Technical ContextAI

Flowise is an open-source low-code/no-code visual builder for LLM orchestration and AI agent workflows. Its Custom Tool / Function feature runs user-supplied JavaScript inside a Node 'vm' (nodevm) sandbox that is meant to restrict access to host resources and dependencies. The bundled browser-automation libraries Puppeteer and Playwright expose an interface to launch an external browser process by explicit executable path and arguments; when the integrated modules are made available to sandboxed code (gated by ALLOW_BUILTIN_DEP), that launch capability becomes a primitive to spawn an arbitrary host process, defeating the sandbox. This maps to CWE-77 (command injection / improper neutralization of special elements in a command), the root cause being that attacker-influenced executable paths and parameters are passed to a process-spawning API without restriction. The PR #5231 fix confirms the mechanism: in packages/components/src/utils.ts the available built-in/project dependencies are now only concatenated into the sandbox dependency set when process.env.ALLOW_BUILTIN_DEP === 'true', otherwise only explicitly declared external deps are exposed, and ALLOW_BUILTIN_DEP is introduced across env examples and docker-compose files defaulting to false.

RemediationAI

Vendor-released patch: upgrade to Flowise 3.0.8 or later, which changes packages/components/src/utils.ts so that built-in/project dependencies are only exposed to the sandbox when ALLOW_BUILTIN_DEP is explicitly 'true' (fix in https://github.com/FlowiseAI/Flowise/pull/5231, advisory https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5w3r-f6gm-c25w). Because the setting still enables the dangerous path on patched versions, keep ALLOW_BUILTIN_DEP unset or false (the new default) unless you fully trust every user who can author tools; setting it to true re-introduces host code execution and should be avoided in shared or exposed deployments. If you cannot upgrade immediately, restrict who holds tool-creation/execution privileges, avoid exposing the Flowise UI/API to untrusted networks, and run Flowise as an unprivileged, containerized/sandboxed OS user so a host escape is contained - noting these controls reduce blast radius but do not remove the vulnerability, which the version upgrade does.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

CVE-2025-29189 HIGH POC
7.6 Apr 09

Flowise <= 2.2.3 is vulnerable to SQL Injection. Rated high severity (CVSS 7.6), this vulnerability is remotely exploita

Share

CVE-2025-34267 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy