CVE Catalog

CVE-2025-71331

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile — higher than 5% of all known CVEs

Summary

Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript, leading to cookie and session data theft.

Risk Assessment

This vulnerability poses a risk of session data theft from users, potentially leading to unauthorized access to accounts and other organizational resources.

Recommendation

It is recommended to update Flowise to version 3.0.8 or later and implement appropriate input filtering mechanisms to minimize XSS risk.

Original NVD description (English source)

Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <iframe src="javascript:alert(document.cookie)">) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim's browser, enabling theft of cookies and session data.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS