Server-Side Request Forgery Vulnerability in Flowise by FlowiseAI
CVE-2025-59527

7.5HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 22 September 2025

What is CVE-2025-59527?

In Flowise version 3.0.5, a Server-Side Request Forgery vulnerability was identified in the /api/v1/fetch-links endpoint, enabling attackers to exploit the Flowise server as a proxy. This flaw allowed unauthorized access to internal network services, potentially exposing sensitive link structures. This issue has been resolved in version 3.0.6, reinforcing the security of the application.

Affected Version(s)

Flowise = 3.0.5

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bc...

x_refsource_MISC

https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bc...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 22, 2025
Vulnerability Reserved
Sep 17, 2025

Flowiseai

What is CVE-2025-59527?

Affected Version(s)

References

CVSS V3.1

Timeline