Main Vulnerability Database Vulnerabilities #VU125543

#VU125543 Code Injection in Flowise - CVE-2025-57164

Published: April 9, 2026

Vulnerability identifier: #VU125543

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-57164

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Flowise

Software vendor:
FlowiseAI

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the Supabase RPC Filter component when processing a user-supplied filter expression. A remote privileged user can inject malicious JavaScript into the filter expression field to execute arbitrary code.

Exploitation requires the Supabase vector store to be enabled, and the injected code executes within the backend runtime context when the node is triggered.

Remediation

Install security update from vendor's website.

External links

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7944-7c6r-55vv

#VU125543 Code Injection in Flowise - CVE-2025-57164

Description

Remediation

External links

Please verify you're human