Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/69898?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/69898?format=api", "purl": "pkg:npm/flowise@3.0.6", "type": "npm", "namespace": "", "name": "flowise", "version": "3.0.6", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "3.0.8", "latest_non_vulnerable_version": "3.0.13", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47559?format=api", "vulnerability_id": "VCID-2wkq-5agr-6bgz", "summary": "Flowise has Remote Code Execution vulnerability\nThe CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. \nThis node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it \nexecutes JavaScript code without any security validation.\n\nSpecifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which \nevaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous\nmodules such as child_process and fs.", "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59528", "reference_id": "CVE-2025-59528", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59528" }, { "reference_url": "https://github.com/advisories/GHSA-3gcm-f6qx-ff7p", "reference_id": "GHSA-3gcm-f6qx-ff7p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3gcm-f6qx-ff7p" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p", "reference_id": "GHSA-3gcm-f6qx-ff7p", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69898?format=api", "purl": "pkg:npm/flowise@3.0.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6" } ], "aliases": [ "CVE-2025-59528", "GHSA-3gcm-f6qx-ff7p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2wkq-5agr-6bgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48070?format=api", "vulnerability_id": "VCID-5vb2-73xr-97cw", "summary": "Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-7944-7c6r-55vv. This link is maintained to preserve external references.\n\n### Original Description\nFlowise through v3.0.4 is vulnerable to remote code execution via unsanitized evaluation of user input in the \"Supabase RPC Filter\" field.", "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/main/packages/components/nodes/vectorstores/Supabase/Supabase.ts#L237", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/main/packages/components/nodes/vectorstores/Supabase/Supabase.ts#L237" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57164", "reference_id": "CVE-2025-57164", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57164" }, { "reference_url": "https://github.com/advisories/GHSA-3g4j-r53p-22wx", "reference_id": "GHSA-3g4j-r53p-22wx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3g4j-r53p-22wx" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7944-7c6r-55vv", "reference_id": "GHSA-7944-7c6r-55vv", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7944-7c6r-55vv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69898?format=api", "purl": "pkg:npm/flowise@3.0.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6" } ], "aliases": [ "GHSA-3g4j-r53p-22wx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5vb2-73xr-97cw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47568?format=api", "vulnerability_id": "VCID-8wyy-ep3u-xkh5", "summary": "Flowise has an Arbitrary File Read\nAn arbitrary file read vulnerability in the `chatId` parameter supplied to both the `/api/v1/get-upload-file` and `/api/v1/openai-assistants-file/download` endpoints allows unauthenticated users to read unintended files on the local filesystem. In the default Flowise configuration this allows reading of the local sqlite db and subsequent compromise of all database content.", "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise" }, { "reference_url": "https://github.com/advisories/GHSA-99pg-hqvx-r4gf", "reference_id": "GHSA-99pg-hqvx-r4gf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-99pg-hqvx-r4gf" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-99pg-hqvx-r4gf", "reference_id": "GHSA-99pg-hqvx-r4gf", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-99pg-hqvx-r4gf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69898?format=api", "purl": "pkg:npm/flowise@3.0.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6" } ], "aliases": [ "GHSA-99pg-hqvx-r4gf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8wyy-ep3u-xkh5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47564?format=api", "vulnerability_id": "VCID-gjgw-sjnh-zkhr", "summary": "Duplicate\nThis advisory duplicates another.", "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/src/utils.ts#L474-L478", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/src/utils.ts#L474-L478" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/fetch-links/index.ts#L6-L24", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/fetch-links/index.ts#L6-L24" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/fetch-links/index.ts#L8-L18", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/fetch-links/index.ts#L8-L18" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59527", "reference_id": "CVE-2025-59527", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59527" }, { "reference_url": "https://github.com/advisories/GHSA-hr92-4q35-4j3m", "reference_id": "GHSA-hr92-4q35-4j3m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hr92-4q35-4j3m" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hr92-4q35-4j3m", "reference_id": "GHSA-hr92-4q35-4j3m", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hr92-4q35-4j3m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69898?format=api", "purl": "pkg:npm/flowise@3.0.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6" } ], "aliases": [ "CVE-2025-59527", "GHSA-hr92-4q35-4j3m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gjgw-sjnh-zkhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47560?format=api", "vulnerability_id": "VCID-rhdz-rcy5-y3a6", "summary": "Duplicate\nThis advisory duplicates another.", "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/flowise%403.0.5/packages/components/nodes/vectorstores/Supabase/Supabase.ts#L237", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/flowise%403.0.5/packages/components/nodes/vectorstores/Supabase/Supabase.ts#L237" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/main/packages/components/nodes/vectorstores/Supabase/Supabase.ts#L237", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/main/packages/components/nodes/vectorstores/Supabase/Supabase.ts#L237" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57164", "reference_id": "CVE-2025-57164", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57164" }, { "reference_url": "https://github.com/advisories/GHSA-7944-7c6r-55vv", "reference_id": "GHSA-7944-7c6r-55vv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7944-7c6r-55vv" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7944-7c6r-55vv", "reference_id": "GHSA-7944-7c6r-55vv", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7944-7c6r-55vv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69898?format=api", "purl": "pkg:npm/flowise@3.0.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6" } ], "aliases": [ "CVE-2025-57164", "GHSA-7944-7c6r-55vv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rhdz-rcy5-y3a6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47577?format=api", "vulnerability_id": "VCID-zmed-seae-ebfe", "summary": "Flowise has unsandboxed remote code execution via Custom MCP\nThe Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, the default installation of Flowise operates without authentication unless explicitly configured using the `FLOWISE_USERNAME` and `FLOWISE_PASSWORD` environment variables.\n\nThis combination presents a significant security risk, potentially allowing users on the platform to execute unsandboxed system commands. This can result in Remote Code Execution (RCE) and complete compromise of the running platform container or server.", "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/commit/ac7cf30e019cde54905bf09b5d3fe1c6ba42f9b9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/commit/ac7cf30e019cde54905bf09b5d3fe1c6ba42f9b9" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/pull/5201", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/pull/5201" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6" }, { "reference_url": "https://github.com/advisories/GHSA-6933-jpx5-q87q", "reference_id": "GHSA-6933-jpx5-q87q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6933-jpx5-q87q" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6933-jpx5-q87q", "reference_id": "GHSA-6933-jpx5-q87q", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6933-jpx5-q87q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69898?format=api", "purl": "pkg:npm/flowise@3.0.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6" } ], "aliases": [ "GHSA-6933-jpx5-q87q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zmed-seae-ebfe" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6" }