CVE-2025-34267: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in FlowiseAI Flowise
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host. This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 by the developers and should be considered distinct from that identifier.
AI Analysis
Technical Summary
CVE-2025-34267 is a command injection vulnerability classified under CWE-77 affecting FlowiseAI's Flowise product versions before 3.0.8 when the 'ALLOW_BUILTIN_DEP' configuration is enabled. Flowise integrates Puppeteer and Playwright modules within a nodevm sandbox environment intended to isolate execution of user-defined tools. However, due to insecure handling of these modules, an authenticated attacker who can create or run tools leveraging Puppeteer or Playwright can specify attacker-controlled browser binary paths and parameters. This capability allows the attacker to execute arbitrary binaries or commands on the host system, effectively escaping the nodevm sandbox restrictions. The vulnerability does not require user interaction but does require authenticated access with high privileges. The impact includes remote code execution on the host, compromising confidentiality, integrity, and availability of the system. The vulnerability was initially misclassified as a duplicate of CVE-2025-26319 but is distinct. No public exploits are known yet, but the high CVSS score (8.4) reflects the serious risk posed by this flaw. The vulnerability affects Flowise version 3.0.1 and potentially other versions with the vulnerable configuration enabled. Since Flowise is used in AI workflow automation, exploitation could lead to control over AI infrastructure or data exfiltration.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those leveraging Flowise in AI development, automation, or data processing environments. Successful exploitation can lead to full host compromise, allowing attackers to execute arbitrary code, steal sensitive data, disrupt AI workflows, or pivot to other internal systems. This could result in intellectual property theft, operational downtime, and regulatory non-compliance, particularly under GDPR where data breaches have severe consequences. The requirement for authenticated access limits exposure but insider threats or compromised credentials could enable exploitation. The high severity and potential for sandbox escape elevate the risk profile. Organizations in sectors such as finance, healthcare, manufacturing, and research that adopt AI tools are particularly vulnerable. The lack of known exploits in the wild provides a window for proactive mitigation before active attacks emerge.
Mitigation Recommendations
1. Immediately review and restrict access to Flowise instances, ensuring only trusted and necessary users have authenticated access. 2. Disable the 'ALLOW_BUILTIN_DEP' feature if it is not essential for your workflows to prevent exposure to the vulnerability. 3. Monitor execution logs and system processes for unusual Puppeteer or Playwright invocations or unexpected browser binary paths. 4. Implement strict application whitelisting and endpoint protection to detect or block unauthorized code execution attempts. 5. Segregate Flowise infrastructure from critical systems to limit lateral movement in case of compromise. 6. Apply vendor patches or updates as soon as they become available to remediate the vulnerability. 7. Conduct regular credential audits and enforce strong authentication mechanisms to reduce risk of credential compromise. 8. Consider network-level controls to limit outbound connections from Flowise hosts to reduce attacker command and control capabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium
CVE-2025-34267: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in FlowiseAI Flowise
Description
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host. This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 by the developers and should be considered distinct from that identifier.
AI-Powered Analysis
Technical Analysis
CVE-2025-34267 is a command injection vulnerability classified under CWE-77 affecting FlowiseAI's Flowise product versions before 3.0.8 when the 'ALLOW_BUILTIN_DEP' configuration is enabled. Flowise integrates Puppeteer and Playwright modules within a nodevm sandbox environment intended to isolate execution of user-defined tools. However, due to insecure handling of these modules, an authenticated attacker who can create or run tools leveraging Puppeteer or Playwright can specify attacker-controlled browser binary paths and parameters. This capability allows the attacker to execute arbitrary binaries or commands on the host system, effectively escaping the nodevm sandbox restrictions. The vulnerability does not require user interaction but does require authenticated access with high privileges. The impact includes remote code execution on the host, compromising confidentiality, integrity, and availability of the system. The vulnerability was initially misclassified as a duplicate of CVE-2025-26319 but is distinct. No public exploits are known yet, but the high CVSS score (8.4) reflects the serious risk posed by this flaw. The vulnerability affects Flowise version 3.0.1 and potentially other versions with the vulnerable configuration enabled. Since Flowise is used in AI workflow automation, exploitation could lead to control over AI infrastructure or data exfiltration.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those leveraging Flowise in AI development, automation, or data processing environments. Successful exploitation can lead to full host compromise, allowing attackers to execute arbitrary code, steal sensitive data, disrupt AI workflows, or pivot to other internal systems. This could result in intellectual property theft, operational downtime, and regulatory non-compliance, particularly under GDPR where data breaches have severe consequences. The requirement for authenticated access limits exposure but insider threats or compromised credentials could enable exploitation. The high severity and potential for sandbox escape elevate the risk profile. Organizations in sectors such as finance, healthcare, manufacturing, and research that adopt AI tools are particularly vulnerable. The lack of known exploits in the wild provides a window for proactive mitigation before active attacks emerge.
Mitigation Recommendations
1. Immediately review and restrict access to Flowise instances, ensuring only trusted and necessary users have authenticated access. 2. Disable the 'ALLOW_BUILTIN_DEP' feature if it is not essential for your workflows to prevent exposure to the vulnerability. 3. Monitor execution logs and system processes for unusual Puppeteer or Playwright invocations or unexpected browser binary paths. 4. Implement strict application whitelisting and endpoint protection to detect or block unauthorized code execution attempts. 5. Segregate Flowise infrastructure from critical systems to limit lateral movement in case of compromise. 6. Apply vendor patches or updates as soon as they become available to remediate the vulnerability. 7. Conduct regular credential audits and enforce strong authentication mechanisms to reduce risk of credential compromise. 8. Consider network-level controls to limit outbound connections from Flowise hosts to reduce attacker command and control capabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.579Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68eea752bbec4fba96d79ed9
Added to database: 10/14/2025, 7:41:06 PM
Last enriched: 11/19/2025, 4:10:43 AM
Last updated: 11/28/2025, 6:47:46 PM
Views: 61
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-12977: CWE-187: Partial String Comparison in FluentBit Fluent Bit
CriticalCVE-2025-12972: CWE-35: Path Traversal in FluentBit Fluent Bit
MediumCVE-2025-12970: CWE-121: Stack-based Buffer Overflow in FluentBit Fluent Bit
HighCVE-2025-12978: CWE-187: Partial String Comparison in FluentBit Fluent Bit
MediumCVE-2025-12969: CWE-306: Missing Authentication for Critical Function in FluentBit Fluent Bit
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.