CVE-2025-55346
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-14
Assigner: JFrog
Description
Description
User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flowise | flowise | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because user-controlled input is passed to an unsafe implementation of a dynamic Function constructor. This allows network attackers to execute arbitrary unsandboxed JavaScript code on the host by sending a simple POST request.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can run arbitrary JavaScript code without sandboxing on the affected host, potentially leading to full compromise of confidentiality, integrity, and availability of the system.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70