CVE Catalog

CVE-2025-71332

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

Flowise through version 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.

Risk Assessment

The risk involves the potential theft of sensitive credential data by an authenticated attacker, which could lead to privilege escalation and system compromise.

Recommendation

Immediately update Flowise to version 2.2.8 or later, which includes a fix for this vulnerability. If an update is not possible, restrict access to the importChatflows API to trusted users only.

Original NVD description (English source)

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS