Duplicate Advisory: Flowise vulnerable to RCE via Dynamic function constructor injection

GHSA-q4xx-mc3q-23x8

Published Aug 14, 2025 · Modified Oct 3, 2025

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hmgh-466j-fx4c. This link is maintained to preserve external references.

Original Description

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-55346
PACKAGE https://github.com/FlowiseAI/Flowise
WEB https://research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes