GHSA-q4xx-mc3q-23x8: Duplicate Advisory: Flowise vulnerable to RCE via Dynamic function constructor injection

August 14, 2025 (updated October 3, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hmgh-466j-fx4c. This link is maintained to preserve external references.

Original Description

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.

References

github.com/FlowiseAI/Flowise
github.com/advisories/GHSA-q4xx-mc3q-23x8
nvd.nist.gov/vuln/detail/CVE-2025-55346
research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925

Code Behaviors & Features

Detect and mitigate GHSA-q4xx-mc3q-23x8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →