CVE-2025-34267 Overview
CVE-2025-34267 is an authenticated remote code execution (RCE) vulnerability affecting Flowise v3.0.1 through v3.0.8 and all subsequent versions with the ALLOW_BUILTIN_DEP configuration option enabled. The vulnerability stems from insecure use of integrated browser automation modules (Puppeteer and Playwright) within the NodeVM execution environment, allowing attackers to escape the sandbox and execute arbitrary code on the host system.
An authenticated attacker who can create or run a tool leveraging Puppeteer or Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the malicious executable and parameters run directly on the host system, completely bypassing the intended NodeVM sandbox restrictions. This vulnerability was incorrectly assigned as a duplicate of CVE-2025-26319 by the developers but should be considered a distinct security issue.
Critical Impact
Authenticated attackers can achieve full remote code execution on the host system by escaping the NodeVM sandbox through malicious Puppeteer/Playwright configurations, potentially leading to complete system compromise.
Affected Products
- Flowiseai Flowise versions 3.0.1 through 3.0.8
- All Flowise versions after 3.0.8 with ALLOW_BUILTIN_DEP enabled
- Flowise deployments using Puppeteer or Playwright integrations
Discovery Timeline
- 2025-10-14 - CVE-2025-34267 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2025-34267
Vulnerability Analysis
This vulnerability represents a Command Injection (CWE-77) flaw that manifests through the interaction between Flowise's NodeVM sandbox and the integrated browser automation libraries. The core issue lies in how Flowise handles user-controllable parameters when initializing Puppeteer or Playwright browser instances within the sandboxed environment.
The NodeVM sandbox is designed to restrict code execution within isolated JavaScript contexts, preventing direct access to system resources. However, the Puppeteer and Playwright modules require legitimate access to spawn browser processes on the host system. This architectural requirement creates an inherent trust boundary violation when user-supplied configuration parameters (such as executablePath for browser binaries or args for browser launch arguments) are passed directly to these modules without adequate validation.
When an authenticated user creates a tool configuration specifying a malicious binary path or crafted launch arguments, the sandbox restrictions are effectively bypassed. The NodeVM executes the browser automation code, which in turn spawns processes on the host system using the attacker-controlled parameters—outside the sandbox's protective boundary.
Root Cause
The root cause of CVE-2025-34267 is insufficient input validation and lack of restrictions on browser executable paths and launch parameters within the Flowise tool creation workflow. The ALLOW_BUILTIN_DEP configuration flag enables access to built-in Node.js dependencies including Puppeteer and Playwright, but the application fails to sanitize or restrict the browser binary paths and command-line arguments that authenticated users can specify.
The NodeVM sandbox cannot intercept or validate process spawning operations initiated by these browser automation libraries since they operate at the native module level, outside the JavaScript sandbox scope. This creates a privilege escalation path from authenticated web user to arbitrary code execution on the host.
Attack Vector
The attack leverages the network-accessible Flowise web interface and requires authenticated access. An attacker with valid credentials performs the following attack sequence:
- Authenticates to the Flowise application
- Creates or modifies a tool configuration that uses Puppeteer or Playwright
- Specifies a malicious executablePath pointing to an attacker-controlled binary (or an existing system binary with crafted arguments)
- Triggers tool execution, causing the NodeVM to invoke the browser automation module
- The specified binary executes on the host system with the attacker's parameters, achieving arbitrary code execution
The attack does not require user interaction beyond authentication, and exploitation complexity is low given the straightforward parameter injection mechanism. For detailed technical analysis, refer to the VulnCheck Advisory on Flowise.
Detection Methods for CVE-2025-34267
Indicators of Compromise
- Unusual tool configurations containing non-standard executablePath values pointing to system utilities or uploaded binaries
- Process spawning from the Flowise application context with unexpected parent-child process relationships
- Suspicious command-line arguments in browser processes or unexpected binary executions originating from Node.js processes
- Tool definitions referencing absolute paths outside standard browser installation directories
Detection Strategies
- Monitor process creation events originating from the Flowise server process, especially looking for non-browser executables spawned after Puppeteer/Playwright initialization
- Implement file integrity monitoring on tool configuration storage to detect unauthorized modifications to browser path settings
- Review application logs for tool creation or modification events containing suspicious executable paths or arguments
- Deploy runtime application self-protection (RASP) to detect and block process spawning with unexpected binaries
Monitoring Recommendations
- Enable comprehensive audit logging for all tool creation and modification events within Flowise
- Configure endpoint detection and response (EDR) solutions to alert on process chains showing Node.js spawning unexpected child processes
- Establish baseline behavior for legitimate Puppeteer/Playwright usage and alert on deviations in executable paths or launch arguments
- Monitor network traffic for post-exploitation indicators such as reverse shell connections or data exfiltration attempts
How to Mitigate CVE-2025-34267
Immediate Actions Required
- Disable the ALLOW_BUILTIN_DEP configuration option if Puppeteer/Playwright functionality is not required for business operations
- Review all existing tool configurations for suspicious executablePath or browser argument specifications
- Implement strict access controls to limit which users can create or modify tools using browser automation features
- Consider network segmentation to isolate Flowise deployments from critical infrastructure pending patch application
Patch Information
FlowiseAI has addressed this vulnerability through security updates. Organizations should upgrade to a patched version as documented in the GitHub Security Advisory GHSA-5w3r-f6gm-c25w. The fix is tracked in GitHub Pull Request #5231, which implements restrictions on browser executable paths and launch arguments within the tool configuration workflow.
Prior to patching, administrators should verify that authentication is properly enforced and consider implementing additional access controls to restrict tool creation capabilities.
Workarounds
- Disable the ALLOW_BUILTIN_DEP environment variable to prevent access to Puppeteer and Playwright modules entirely
- Implement application-level firewall rules to block tool creation API endpoints for non-administrative users
- Deploy containerization with restricted capabilities to limit the impact of sandbox escape, preventing access to sensitive host resources
- Use read-only file systems for Flowise deployments where possible to prevent persistence of malicious tools
# Disable ALLOW_BUILTIN_DEP in Flowise configuration
export ALLOW_BUILTIN_DEP=false
# Restart Flowise service to apply changes
systemctl restart flowise
# Verify configuration is disabled
grep -i "ALLOW_BUILTIN_DEP" /path/to/flowise/.env
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
