CVE-2025-29192: Flowise Stored XSS vulnerability through logs in chatbot
(updated )
In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin’s credentials or sensitive information with stored Cross Site Scripting.
References
- github.com/FlowiseAI/Flowise
- github.com/FlowiseAI/Flowise/commit/9a06a85a8ddcbaeca1342827a5fea9087a587d97
- github.com/FlowiseAI/Flowise/pull/4905
- github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.5
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-7r4h-vmj9-wg42
- github.com/advisories/GHSA-7r4h-vmj9-wg42
- nvd.nist.gov/vuln/detail/CVE-2025-29192
Code Behaviors & Features
Detect and mitigate CVE-2025-29192 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →