Authenticated Remote Code Execution in Flowise by FlowiseAI
CVE-2025-34267

8.4HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 14 October 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-34267?

An authenticated remote code execution vulnerability in Flowise versions prior to 3.0.8 exists due to the insecure handling of integrated modules such as Puppeteer and Playwright. Attackers with the ability to create or execute malicious tools can specify arbitrary browser binary paths and parameters, allowing them to run controlled executables on the host outside of the intended nodevm sandbox environment. This results in the execution of arbitrary code, effectively breaching security constraints and exposing the host to potential exploitation. Note that this vulnerability was misclassified as a duplicate of CVE-2025-26319, but it is distinct and requires immediate attention.

Affected Version(s)

Flowise 3.0.1 <= 3.0.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34267 - Proof of Concept

References

https://flowiseai.com/

product

https://github.com/FlowiseAI/Flowise/security/advisories/...

technical-descriptionexploit

https://github.com/FlowiseAI/Flowise/pull/5231

patch

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Oct 14, 2025
👾
Exploit known to exist
Oct 14, 2025
Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Cale Black of VulnCheck

JSON

Flowiseai