CVE-2025-29189
HIGH7.6EPSS 0.13%Flowise Vulnerable to SQL Injection via `tableName` Parameter
Published: 4/9/2025Modified: 4/10/2025
Description
Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores.
Affected packages (1)
- npm/flowise-componentsfrom 0, < 2.2.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-29189
- PATCHhttps://github.com/FlowiseAI/Flowise
- WEBhttps://drive.google.com/file/d/1WHPslTmQmAM9xPJifULS2qAo7hcidB4L/view?usp=sharing
- WEBhttps://github.com/FlowiseAI/Flowise/commit/9a417bdc95f58d6dd92cbf60dad42414aba34754
- WEBhttps://github.com/FlowiseAI/Flowise/pull/3818