CVE-2025-34267
Published: 14 October 2025
Summary
CVE-2025-34267 is a critical-severity Command Injection (CWE-77) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching Flowise to v3.0.8 or later directly eliminates the sandbox escape vulnerability in Puppeteer and Playwright modules.
Secure configuration settings, such as disabling ALLOW_BUILTIN_DEP, prevent the insecure use of integrated modules that enable attacker-controlled browser execution.
Validating user-supplied browser binary paths and parameters blocks command injection (CWE-77) that circumvents the nodevm sandbox restrictions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated RCE vulnerability in the public-facing Flowise web application directly enables exploitation of a public-facing application for remote code execution.
NVD Description
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated…
more
attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host. This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 by the developers and should be considered distinct from that identifier.
Deeper analysisAI
CVE-2025-34267 is an authenticated remote code execution vulnerability combined with a Node VM sandbox escape in Flowise, affecting versions from v3.0.1 up to but not including 3.0.8, as well as all subsequent versions where the 'ALLOW_BUILTIN_DEP' configuration option is enabled. The issue stems from insecure usage of the integrated Puppeteer and Playwright modules within the nodevm execution environment. These modules allow specification of attacker-controlled browser binary paths and parameters, which bypass the intended sandbox restrictions when a tool leveraging them is executed.
An authenticated attacker with the ability to create or run a tool that uses Puppeteer or Playwright can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation results in arbitrary code execution on the host system in the context of the Flowise process, granting high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The vulnerability is linked to CWE-77 (Command Injection).
Mitigation details are available in the official Flowise security advisory (GHSA-5w3r-f6gm-c25w) and a related pull request (#5231) on the Flowise GitHub repository, along with analysis from VulnCheck. Note that developers initially misidentified this as a duplicate of CVE-2025-26319, but it is distinct. Security practitioners should review these resources for patching instructions and disable 'ALLOW_BUILTIN_DEP' where possible. FlowiseAI is a low-code platform for building LLM applications, making this relevant to AI/ML deployments.
Details
- CWE(s)