Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:N because chat submission requires no account; UI:R because a human victim must view the chat; S:C because injected script executes in the victim's distinct browser security context.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <iframe src="javascript:alert(document.cookie)">) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim's browser, enabling theft of cookies and session data.
AnalysisAI
Cross-site scripting in Flowise before 3.0.8 allows unauthenticated network attackers to inject malicious JavaScript into the chat interface via iframe javascript: URI payloads, or indirectly via custom agent functions that fetch and render unsanitized external HTTP responses. When a victim browses the affected chat or agent output in their browser, the injected script executes in their session, enabling cookie theft and session hijacking. A working proof-of-concept payload is publicly documented in GitHub Security Advisory GHSA-4fr9-3x69-36wv; no active exploitation is confirmed in CISA KEV at time of analysis.
Technical ContextAI
Flowise is an open-source, Node.js/npm-based visual AI workflow builder distributed under cpe:2.3:a:flowise:flowise:*:*:*:*:*:*:*:*. The root cause is CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page): the application fails to sanitize HTML and JavaScript before rendering it in the browser, allowing javascript: URI schemes and arbitrary HTML tags to execute as code. Two distinct injection surfaces exist: the chat interface directly renders unsanitized user-submitted messages, and the Agentflow custom function pipeline fetches external URLs via node-fetch and returns their raw text content to the renderer without sanitization - creating a second-order XSS path where attacker-controlled external web servers can deliver payloads through trusted agent execution.
RemediationAI
Upgrade Flowise to version 3.0.8 or later, the vendor-released patch confirmed by GHSA-4fr9-3x69-36wv and corroborated by EUVD and VulnCheck. Install via npm with 'npm install flowise@3.0.8' or equivalent. If immediate patching is blocked, restrict access to the Flowise chat interface and Agentflow creation capabilities to authenticated, trusted users only - this reduces but does not eliminate the attack surface, as authenticated users could still inject payloads targeting other users. As an additional defense-in-depth measure, deploy a Content Security Policy (CSP) header that sets 'script-src' to disallow inline scripts and blocks javascript: URI schemes; this would neutralize the specific iframe javascript: PoC payload but is not a substitute for patching and may break legitimate Flowise functionality requiring testing. The vendor advisory is at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-4fr9-3x69-36wv.
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210289
GHSA-jv86-v5fr-xvg6