flowise 3.1.2

Direct Vulnerabilities

Known vulnerabilities in the flowise package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Access Control Bypass flowise is a Flowiseai Server Affected versions of this package are vulnerable to Access Control Bypass via the via `POST /api/v1/account/login` and `POST /api/v1/account/invite` endpoints. An attacker can gain access to arbitrary bcrypt password hash, tempToken, and tokenExpiry, including privileged accounts. Note: This issue is due to incomplete fix for CVE-2025-58434. How to fix Access Control Bypass? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via insufficient input filtering of input by web applications such as `chat box` and agent workflow processes. An attacker can execute arbitrary JavaScript code in the victim's browser by injecting malicious scripts, potentially leading to theft of sensitive information such as cookies when a user interacts with crafted content. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
H Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the chat logs, due to improper input sanitization. An attacker can access sensitive information or impersonate an administrator by injecting malicious HTML or scripts into chat prompts, which are then rendered when an admin views the logs. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
H Uncontrolled Resource Consumption ('Resource Exhaustion') flowise is a Flowiseai Server Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the `/api/v1/get-upload-file` API endpoint. An attacker can cause the application to crash by sending specially crafted input. How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/api/v1/public-chatflows/id` endpoint, which returns a 404 page in the absence of a chatflow ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `/api/v1/chatflows-streaming/id`, which returns a 404 page in the absence of a streaming ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/api/v1/credentials/id` endpoint, which returns a 404 page in the absence of a credential ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `api/v1/chatflows/id` endpoint, which returns a 404 page in the absence of a chatflow ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
H Path Traversal flowise is a Flowiseai Server Affected versions of this package are vulnerable to Path Traversal due to improper sanitization of the `filename` parameter used by the `/api/v1/openai-assistants-file` endpoint. An attacker can pass in a path traversal string to read arbitrary files on the vulnerable file system. How to fix Path Traversal? There is no fixed version for `flowise`.	*

Vulnerability

Vulnerable Version

Access Control Bypass

flowise is a Flowiseai Server

Affected versions of this package are vulnerable to Access Control Bypass via the via POST /api/v1/account/login and POST /api/v1/account/invite endpoints. An attacker can gain access to arbitrary bcrypt password hash, tempToken, and tokenExpiry, including privileged accounts.

Note:

This issue is due to incomplete fix for CVE-2025-58434.

How to fix Access Control Bypass?