GHSA-q4xx-mc3q-23x8

Опубликовано: 14 авг. 2025

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Duplicate Advisory: Flowise vulnerable to RCE via Dynamic function constructor injection

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hmgh-466j-fx4c. This link is maintained to preserve external references.

Original Description

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2025-55346
https://research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925

Пакеты

Наименование

flowise

npm

Затронутые версииВерсия исправления

<= 3.0.5

Отсутствует

9.8 Critical

CVSS3

Дефекты

CWE-94

9.8 Critical

CVSS3

Дефекты

CWE-94