CVE-2025-59434
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-09-22

Assigner: GitHub, Inc.

Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScript Function node. This includes secrets such as OpenAI API keys, AWS credentials, Supabase tokens, and Google Cloud secrets β€” resulting in a full cross-tenant data exposure. This issue has been patched in the August 2025 Cloud-Hosted Flowise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-09-22
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59434
EUVD
EUVD-2025-30835
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59434 is a critical vulnerability in the cloud-hosted version of Flowise, a drag & drop interface for building large language model flows. It allows any authenticated user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScript Function node. This happens because the $vars object in the JavaScript execution context mistakenly includes environment variables from all tenants instead of just the current workspace. As a result, secrets like OpenAI API keys, AWS credentials, and Google Cloud secrets can be exposed to unauthorized users. [1]

Impact Analysis

This vulnerability can lead to severe impacts including leakage of sensitive credentials such as API keys and tokens, unauthorized use of paid third-party services (OpenAI, AWS, Google, etc.), access to internal database URIs, and potential lateral movement within the system. It can result in full cross-tenant data exposure and compromise of user data, making it a critical security risk. [1]

Detection Guidance

This vulnerability can be detected by creating a free-tier Flowise Cloud account and sending a crafted POST request to the /api/v1/node-custom-function endpoint with a JavaScript payload that enumerates the keys of the $vars object. This payload will reveal environment variable names and their values, including those from other tenants. For example, you can use a curl command to send such a POST request with a payload that returns Object.keys($vars) or similar JavaScript code to check if cross-tenant variables are accessible. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading to the patched version of Flowise Cloud released in August 2025, which fixes the issue. Additionally, revoke and rotate any potentially leaked credentials such as OpenAI API keys, AWS credentials, Supabase tokens, and Google Cloud secrets. Restrict access to the affected endpoints and monitor for suspicious activity. Urgent remediation is strongly recommended to prevent abuse and data compromise. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart