Code Injection in Flowise - CVE-2025-57164

 

Code Injection in Flowise - CVE-2025-57164

Published: April 9, 2026


Vulnerability identifier: #VU125543
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-57164
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the Supabase RPC Filter component when processing a user-supplied filter expression. A remote privileged user can inject malicious JavaScript into the filter expression field to execute arbitrary code.

Exploitation requires the Supabase vector store to be enabled, and the injected code executes within the backend runtime context when the node is triggered.


How to mitigate CVE-2025-57164

Install security update from vendor's website.

Sources