CVE-2025-55346: Flowise vulnerable to RCE via Dynamic function constructor injection

October 6, 2025

User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host (not sandboxed) leading to RCE.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-hmgh-466j-fx4c
github.com/advisories/GHSA-hmgh-466j-fx4c
nvd.nist.gov/vuln/detail/CVE-2025-55346
research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925

Code Behaviors & Features

Detect and mitigate CVE-2025-55346 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →