CVE-2025-55346: Flowise JS injection remote code execution

August 14, 2025

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.

References

github.com/FlowiseAI/Flowise
github.com/advisories/GHSA-q4xx-mc3q-23x8
nvd.nist.gov/vuln/detail/CVE-2025-55346
research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925

Code Behaviors & Features

Detect and mitigate CVE-2025-55346 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →