CVE-2025-59527 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Flowise 3.0.5 contains an unauthenticated Server-Side Request Forgery in its /api/v1/fetch-links endpoint, enabling any network-accessible attacker to coerce the Flowise server into proxying HTTP requests to internal services and returning their content. Flowise deployments are typically positioned inside enterprise networks with broad access to internal APIs, vector databases, LLM gateways, and cloud infrastructure — making SSRF here significantly more dangerous than in a generic web application. A public PoC exists, exploitation requires zero privileges and zero user interaction (CVSS AV:N/AC:L/PR:N/UI:N), and the package carries 16 prior CVEs indicating a persistent pattern of insufficient security review. Patch to Flowise 3.0.6 immediately; if patching is blocked, restrict /api/v1/fetch-links at the reverse proxy layer and audit outbound HTTP logs for requests targeting RFC1918 ranges or cloud metadata endpoints such as 169.254.169.254.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

High risk. Zero-authentication network exploitation with a public PoC lowers the attacker skill floor to near-zero. Flowise is commonly deployed with internal network access to LLM APIs, vector stores, and backend services, making SSRF a pivot point into broader AI infrastructure. Cloud deployments face additional exposure from metadata endpoint abuse (AWS IMDSv1, GCP metadata server) that could yield temporary IAM credentials enabling full cloud account compromise. The 16 prior CVEs in this package signal a systemic vulnerability management gap that warrants elevated scrutiny.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

Patch immediately: upgrade to Flowise 3.0.6.
If patching is delayed, block or rate-limit the /api/v1/fetch-links endpoint at the WAF or reverse proxy with an explicit deny rule.
Implement outbound egress controls for Flowise containers — restrict outbound HTTP to a specific allowlist of required external domains.
In cloud environments, enforce IMDSv2 with hop-limit=1 on EC2/GCP instances to block metadata SSRF.
Audit access logs for anomalous outbound requests to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.169.254.
Network-segment Flowise deployments so they cannot directly reach production databases, secrets stores, or other sensitive internal services.

Classification

Data Extraction Privacy Violation Agent Framework AML.T0006 - Active Scanning AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.2 - AI risk assessment

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain value and mitigate AI risks of deployed systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. This issue has been patched in version 3.0.6.

Exploitation Scenario

An attacker discovers a Flowise instance exposed on a corporate or cloud network — common in AI/ML teams using Flowise for LLM workflow prototyping. Without any credentials, they send a request to /api/v1/fetch-links with the URL parameter targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDS) or an internal service such as http://internal-vector-db:6333/collections. Flowise fetches the URL and returns the response body directly, yielding AWS temporary IAM credentials or internal service enumeration data. With cloud credentials in hand, the attacker escalates to full AWS account access, potentially exfiltrating training datasets, model weights, and customer data from S3 or RDS backing the AI platform.