Low-coding tool: Critical vulnerability with highest rating jeopardizes Flowise

Attackers can target several critical vulnerabilities in the Flowise low-coding platform and compromise systems.

(Image: oatawa/Shutterstock.com)

Sep 16, 2025 at 6:14 pm CEST

2 min. read

By

Dennis Schirrmacher

The developers of the low-coding platform Flowise have closed a total of seven security vulnerabilities. Five vulnerabilities are considered"critical". In the worst-case scenario, malicious code can get onto systems. A patched version provides a remedy.

Various dangers

At the end of this article, interested parties can find the developers' warning messages with further information on the vulnerabilities. The most dangerous is a"critical" malicious code vulnerability with the highest rating (CVSS v3 10/10), for which a CVE number has apparently not yet been assigned. Because JavaScript code is obviously not validated in the context of a connection to a model context protocol server (MCP), remote attackers can execute their own code. This usually leads to them gaining full control over computers.

By exploiting the other critical vulnerabilities, attackers can, among other things, reset passwords to gain unauthorized access (CVE-2025-58434). Attackers can also access files that are actually sealed off. A CVE number has apparently not yet been assigned for this vulnerability either.

By successfully exploiting another vulnerability (no CVE number yet, threat level "high"), attackers can break out of the sandbox due to an insecure default configuration and execute system commands. According to the developers, this leads to attackers being able to execute malicious code remotely and completely compromise systems in this way.

Install a security update

The developers state that they have eliminated the software vulnerabilities in Flowise version 3.0.6. It is currently not known whether there are already attacks.

Videos by heise