CVE-2025-59434 — CRITICAL (CVSS 9.6) AI Security Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on...

Full analysis pending. Showing NVD description excerpt.

Severity & Risk

CVSS 3.1

9.6 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

N/A

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScript Function node. This includes secrets such as OpenAI API keys, AWS credentials, Supabase tokens, and Google Cloud secrets — resulting in a full cross-tenant data exposure. This issue has been patched in the August 2025 Cloud-Hosted Flowise.

Weaknesses (CWE)

CWE-200 CWE-284

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References

github.com/FlowiseAI/Flowise/security/advisories/GHSA-435c-mg9p-fv22

Timeline

Published

September 22, 2025

Last Modified

September 22, 2025

First Seen

September 22, 2025