CVE-2025-71332: Flowise SQL injection exposes AI

CISO Take

Flowise through 2.2.7 allows any authenticated user to trigger blind and error-based SQL injection via a crafted JSON file uploaded to the importChatflows API, with the chatflow.id field injected unsanitized into a SQL IN clause targeting the credential table. The primary blast radius is the credential store where Flowise holds API keys for connected LLM providers, vector databases, and external services — a single exploited admin account could expose your entire AI stack's authentication layer. While the PR:H requirement reduces opportunistic risk, insider threats and compromised admin credentials make this exploitable in real enterprise environments, and with 104 CVEs already logged against Flowise and no confirmed patch version as of publication, the compound exposure is material. Immediately rotate all API keys stored in Flowise, restrict network access to the admin interface to trusted IP ranges, and monitor for anomalous SQL errors or unusual activity on the importChatflows endpoint until a patched release is confirmed.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Risk is rated medium at infrastructure level but elevated in AI-specific context. Flowise is commonly deployed to orchestrate multi-LLM pipelines with stored credentials for high-value API providers such as OpenAI and Anthropic. The credential table exposure means a successful exploit translates directly into LLM API key theft, enabling unauthorized model usage, cost harvesting, and lateral movement into connected vector databases or enterprise systems. With 104 CVEs already documented against Flowise and no confirmed patch version, the compound exposure of an AI orchestration platform's credential store exceeds what the base CVSS 6.5 score implies.

How does the attack unfold?

Initial Access

Attacker authenticates to Flowise using valid admin credentials obtained via credential stuffing, phishing, or insider access to the admin panel.

AML.T0012

Weaponization

Attacker crafts a malicious JSON chatflow import file embedding SQL injection payloads in the id field targeting the credential table for blind or error-based extraction.

AML.T0049

Exploitation

Malicious file is submitted to the importChatflows API; the unsanitized id value is concatenated into a SQL IN clause, executing arbitrary SQL against the Flowise PostgreSQL database.

AML.T0106

Credential Exfiltration

Attacker iterates SQL payloads to dump all records from the credential table, harvesting LLM provider API keys and AI service secrets for downstream abuse across the AI stack.

AML.T0083

Initial Access

Attacker authenticates to Flowise using valid admin credentials obtained via credential stuffing, phishing, or insider access to the admin panel.

AML.T0012

Weaponization

Attacker crafts a malicious JSON chatflow import file embedding SQL injection payloads in the id field targeting the credential table for blind or error-based extraction.

AML.T0049

Exploitation

Malicious file is submitted to the importChatflows API; the unsanitized id value is concatenated into a SQL IN clause, executing arbitrary SQL against the Flowise PostgreSQL database.

AML.T0106

Credential Exfiltration

Attacker iterates SQL payloads to dump all records from the credential table, harvesting LLM provider API keys and AI service secrets for downstream abuse across the AI stack.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	—	No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR High

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade Flowise beyond 2.2.7 once a patched release is confirmed — monitor GHSA-9c4c-g95m-c8cp for patch status.
Immediately rotate all API keys and credentials stored in the Flowise credential table, prioritizing LLM provider keys (OpenAI, Anthropic, Cohere) and vector database connection strings.
Restrict network access to the Flowise admin interface to trusted IP ranges — the importChatflows endpoint must not be publicly reachable.
Audit all admin-level accounts in Flowise: disable unused accounts and rotate credentials for active ones.
Deploy WAF rules to inspect JSON payloads on the importChatflows endpoint for SQL injection patterns, particularly anomalous id field values containing quotes, SQL keywords, or CAST/CONVERT expressions.
Review database query logs for error-based SQL injection signatures or unexpected IN clause patterns on the Flowise database instance.

How is it classified?

Data Extraction Code Execution Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Information security in AI systems

NIST AI RMF

MANAGE-2.2 - Risk treatment and remediation

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-71332?

Flowise through 2.2.7 allows any authenticated user to trigger blind and error-based SQL injection via a crafted JSON file uploaded to the importChatflows API, with the chatflow.id field injected unsanitized into a SQL IN clause targeting the credential table. The primary blast radius is the credential store where Flowise holds API keys for connected LLM providers, vector databases, and external services — a single exploited admin account could expose your entire AI stack's authentication layer. While the PR:H requirement reduces opportunistic risk, insider threats and compromised admin credentials make this exploitable in real enterprise environments, and with 104 CVEs already logged against Flowise and no confirmed patch version as of publication, the compound exposure is material. Immediately rotate all API keys stored in Flowise, restrict network access to the admin interface to trusted IP ranges, and monitor for anomalous SQL errors or unusual activity on the importChatflows endpoint until a patched release is confirmed.

Is CVE-2025-71332 actively exploited?

No confirmed active exploitation of CVE-2025-71332 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71332?

1. Upgrade Flowise beyond 2.2.7 once a patched release is confirmed — monitor GHSA-9c4c-g95m-c8cp for patch status. 2. Immediately rotate all API keys and credentials stored in the Flowise credential table, prioritizing LLM provider keys (OpenAI, Anthropic, Cohere) and vector database connection strings. 3. Restrict network access to the Flowise admin interface to trusted IP ranges — the importChatflows endpoint must not be publicly reachable. 4. Audit all admin-level accounts in Flowise: disable unused accounts and rotate credentials for active ones. 5. Deploy WAF rules to inspect JSON payloads on the importChatflows endpoint for SQL injection patterns, particularly anomalous id field values containing quotes, SQL keywords, or CAST/CONVERT expressions. 6. Review database query logs for error-based SQL injection signatures or unexpected IN clause patterns on the Flowise database instance.

What systems are affected by CVE-2025-71332?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, no-code AI builders, RAG pipelines, LLM orchestration pipelines, multi-agent systems.

What is the CVSS score for CVE-2025-71332?

CVE-2025-71332 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksno-code AI buildersRAG pipelinesLLM orchestration pipelinesmulti-agent systems

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.

Exploitation Scenario

An attacker with admin-level access to a Flowise instance — obtained via credential stuffing against an exposed admin panel, insider access, or a phishing campaign targeting a Flowise operator — crafts a malicious JSON chatflow import file. The file's id field contains a SQL injection payload such as `1' AND 1=CAST((SELECT api_key FROM credentials LIMIT 1 OFFSET 0) AS INT)--` designed for error-based extraction. The attacker uploads this file via the importChatflows API, which concatenates the id value directly into a SQL IN clause without sanitization. By iterating through payloads with incrementing OFFSET values, the attacker systematically dumps the entire credential table, harvesting API keys for every LLM provider and integrated service configured by Flowise users. In an AI agent deployment, this credential harvest enables the attacker to impersonate the AI system against downstream LLM APIs, exfiltrate data from connected vector databases, and pivot across the organization's AI infrastructure.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.