GHSA-r4hh-pcgx-j5r2

Source

https://github.com/advisories/GHSA-r4hh-pcgx-j5r2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-r4hh-pcgx-j5r2/GHSA-r4hh-pcgx-j5r2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r4hh-pcgx-j5r2

Aliases

CVE-2025-34267
GHSA-5w3r-f6gm-c25w

Published

2025-10-14T21:30:47Z

Modified

2025-10-29T05:14:59.637938Z

Severity

8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L CVSS Calculator

Summary

Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages

Details

Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOWBUILTINDEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host.

NOTE: This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 and should be considered distinct from that identifier.

Database specific

{
    "cwe_ids": [
        "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-14T22:17:23Z",
    "nvd_published_at": "2025-10-14T20:15:34Z",
    "severity": "HIGH"
}

References

Affected packages

npm / flowise

Package

Name: flowise; View open source insights on deps.dev
Purl: pkg:npm/flowise

Affected ranges

Type: SEMVER
Events: Introduced

3.0.1

Fixed

3.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-r4hh-pcgx-j5r2/GHSA-r4hh-pcgx-j5r2.json"