CVE-2025-59434

CVSS v3.1

9.6

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Flowise versions prior to August 2025 Cloud-Hosted Flowise

Description Flowise is a drag & drop user interface used to build customized large language model flows. A vulnerability in Flowise Cloud, prior to the August 2025 release, allows authenticated users on the free tier to access sensitive environment variables from other tenants. This access is achieved through the Custom JavaScript Function node and exposes secrets such as OpenAI API keys, AWS credentials, Supabase tokens, and Google Cloud secrets, resulting in cross-tenant data exposure. The Custom JavaScript Function node is the point of access for this issue.

Recommendations Update to August 2025 Cloud-Hosted Flowise to address the issue.

Exploit

Fix

Improper Access Control

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-200

Related Identifiers

BDU:2026-03237

CVE-2025-59434

GHSA-435C-MG9P-FV22

Affected Products

Flowise

CVE-2025-59434

Weakness Enumeration

Related Identifiers

Affected Products

References · 11