AI Threat Alert AI Threat Alert

CVE-2025-59434: Flowise Cloud: cross-tenant env var exposure leaks API keys

CRITICAL PoC AVAILABLE CISA: TRACK*
Published September 22, 2025
CISO Take

Any free-tier Flowise Cloud account could access environment variables from ALL other tenants — including OpenAI keys, AWS credentials, and database tokens — with no special skill required. If your org stored API keys or cloud credentials in Flowise Cloud before August 2025, treat them as compromised and rotate immediately. Patch to August 2025 release and audit which secrets were ever stored in the platform.

Risk Assessment

Critical (CVSS 9.6). Network-exploitable with near-zero barrier: a free account (no payment, no vetting) is sufficient to trigger the exploit with low complexity and no user interaction. The Scope:Changed designation means blast radius extends across ALL tenants on the shared platform. The combination of trivial exploitation, free entry cost, and high-value targets (cloud credentials enabling lateral movement into AWS/GCP production) makes this an immediate P0. Exploitation likely leaves minimal traces in standard application logs, increasing dwell time before detection.

Severity & Risk

CVSS 3.1
9.6 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A None

Recommended Action

6 steps

  1. IMMEDIATE

    Rotate ALL credentials stored in Flowise Cloud environment variables — OpenAI keys, AWS/GCP service account credentials, Supabase tokens, and any third-party API keys. Assume compromised if stored before August 2025.

  2. Update to August 2025 Cloud-Hosted Flowise (patched).

  3. Audit Flowise Cloud access logs for Custom JavaScript Function node usage from free-tier accounts prior to patch date.

  4. Forward-looking: use secrets management services (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) instead of platform env vars for all AI tooling.

  5. Enforce least-privilege on all service accounts used with Flowise — scope down IAM roles and API key permissions.

  6. Enable anomaly alerts on OpenAI and cloud provider usage dashboards to detect ongoing abuse of already-exfiltrated credentials.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Privacy Violation Framework API Agent AML.T0048.000 AML.T0049 AML.T0050 AML.T0055 AML.T0083 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - AI risk management process A.7.3 - Information security in AI systems
NIST AI RMF
GOVERN 6.1 - Organizational risk tolerance for AI is established MANAGE 2.2 - Mechanisms for treatment of AI risks are monitored and applied
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-59434?

Any free-tier Flowise Cloud account could access environment variables from ALL other tenants — including OpenAI keys, AWS credentials, and database tokens — with no special skill required. If your org stored API keys or cloud credentials in Flowise Cloud before August 2025, treat them as compromised and rotate immediately. Patch to August 2025 release and audit which secrets were ever stored in the platform.

Is CVE-2025-59434 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-59434, increasing the risk of exploitation.

How to fix CVE-2025-59434?

1. IMMEDIATE: Rotate ALL credentials stored in Flowise Cloud environment variables — OpenAI keys, AWS/GCP service account credentials, Supabase tokens, and any third-party API keys. Assume compromised if stored before August 2025. 2. Update to August 2025 Cloud-Hosted Flowise (patched). 3. Audit Flowise Cloud access logs for Custom JavaScript Function node usage from free-tier accounts prior to patch date. 4. Forward-looking: use secrets management services (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) instead of platform env vars for all AI tooling. 5. Enforce least-privilege on all service accounts used with Flowise — scope down IAM roles and API key permissions. 6. Enable anomaly alerts on OpenAI and cloud provider usage dashboards to detect ongoing abuse of already-exfiltrated credentials.

What systems are affected by CVE-2025-59434?

This vulnerability affects the following AI/ML architecture patterns: Multi-tenant LLM pipeline platforms, Agent frameworks, LLM orchestration layers, Cloud-hosted AI workflow builders, No-code/low-code AI automation platforms.

What is the CVSS score for CVE-2025-59434?

CVE-2025-59434 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScript Function node. This includes secrets such as OpenAI API keys, AWS credentials, Supabase tokens, and Google Cloud secrets — resulting in a full cross-tenant data exposure. This issue has been patched in the August 2025 Cloud-Hosted Flowise.

Exploitation Scenario

Adversary registers a free-tier Flowise Cloud account — no payment or verification required. They create a flow containing a Custom JavaScript Function node and inject JavaScript to enumerate cross-tenant environment variables (e.g., reading process.env and serializing all key-value pairs). Due to missing tenant isolation in the serverless/container execution environment, the script returns environment variables belonging to other tenants. Adversary systematically harvests these, then executes in parallel: (a) runs unauthorized LLM inference at victim's cost using stolen OpenAI keys, (b) uses stolen AWS access keys to enumerate S3 buckets and EC2 instances for data exfiltration or ransomware staging, (c) accesses victim databases via stolen Supabase connection strings. The entire attack requires only a free account and basic JavaScript — realistic for opportunistic threat actors and financially motivated groups.

Weaknesses (CWE)

CWE-200 CWE-284

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References

Timeline

Published
September 22, 2025
Last Modified
September 22, 2025
First Seen
September 22, 2025

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed