CVE-2025-59527

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6 Flowise version 3.0.5

Description A Server-Side Request Forgery (SSRF) vulnerability exists in the /api/v1/fetch-links endpoint of the Flowise application. This allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The issue arises because the fetch-links feature performs HTTP requests without validating user-supplied URLs, specifically when the relativeLinksMethod parameter is set to webCrawl or xmlScrape. The fetch() function is called directly with the provided URL, enabling attackers to redirect the server to internal services. This could lead to the exposure of sensitive internal administrative endpoints, such as user management, API keys, and database configuration. An attacker could enumerate internal web service structures and potentially perform lateral movement within an enterprise environment.

Recommendations Update Flowise to version 3.0.6 or later.