CVE-2025-50538 Overview
CVE-2025-50538 is a stored cross-site scripting (XSS) vulnerability in Flowise, an open-source visual builder for large language model (LLM) applications. Versions prior to 3.0.5 fail to sanitize IFRAME elements rendered in the chat log. When an administrator opens a chat log containing a crafted payload, the malicious HTML executes in the administrator's browser session. The flaw is tracked under [CWE-79] and stems from insufficient output encoding in the admin chat log view.
Critical Impact
An unauthenticated attacker can inject HTML IFRAME payloads into chat logs that execute in an administrator's browser context, enabling session theft, admin action forgery, and potential pivoting into connected LLM workflows.
Affected Products
- FlowiseAI Flowise versions prior to 3.0.5
- Deployments exposing the admin chat log viewer to untrusted chat inputs
- Self-hosted Flowise instances without upstream sanitization proxies
Discovery Timeline
- 2025-10-06 - CVE-2025-50538 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-50538
Vulnerability Analysis
Flowise stores chat history from end users and exposes it through an administrator-facing chat log interface. The interface renders stored message content without stripping or encoding dangerous HTML elements. An attacker interacting with a Flowise chatflow can submit a message containing an IFRAME element that references an attacker-controlled URL. The payload persists in the chat log store. When an administrator later reviews conversations, the browser parses and loads the IFRAME, executing attacker-supplied content inside the Flowise admin origin.
Because Flowise administrators manage LLM pipelines, API keys, and credentials for downstream services, script execution in the admin session can expose sensitive configuration data. The vulnerability requires user interaction from the administrator, which limits automatic exploitation but aligns with typical stored XSS patterns where the payload waits passively for a privileged viewer.
Root Cause
The root cause is missing output sanitization of chat message content before rendering it in the admin log view. The application trusts stored chat content as safe HTML rather than treating it as untrusted user input. The upstream fix in pull request FlowiseAI/Flowise#4905 adds sanitization to remove dangerous elements including IFRAME before display.
Attack Vector
Exploitation requires network access to a Flowise chatflow endpoint and administrator interaction with the chat log UI. The attacker submits a chat message containing an IFRAME element whose src attribute points to attacker-controlled JavaScript or a phishing page. When the administrator opens the log, the frame loads in the admin origin and can attempt DOM access, credential prompts, or fetch requests against Flowise APIs using the admin session cookies. No verified public proof-of-concept has been published for this issue.
Detection Methods for CVE-2025-50538
Indicators of Compromise
- Chat log entries containing <iframe>, <script>, or javascript: URIs stored in the Flowise message database
- Outbound requests from administrator browsers to unfamiliar domains immediately after opening the chat log page
- Unexpected API calls to Flowise admin endpoints originating from an admin session with an unusual Referer header
Detection Strategies
- Query the Flowise chat message store for HTML tag patterns such as <iframe, <script, or onerror= in message bodies
- Enable browser Content Security Policy (CSP) reporting to capture attempts to load frames or scripts from unauthorized origins
- Review web server access logs for POSTs to prediction and chat endpoints containing encoded HTML markup from unauthenticated clients
Monitoring Recommendations
- Monitor administrator browser sessions for anomalous outbound connections triggered by the Flowise admin console
- Alert on modifications to Flowise credentials, API keys, or chatflow definitions that follow chat log access events
- Correlate authentication events for Flowise admin accounts with network traffic to newly observed domains
How to Mitigate CVE-2025-50538
Immediate Actions Required
- Upgrade Flowise to version 3.0.5 or later, which includes the sanitization fix from pull request 4905
- Restrict administrative access to the Flowise console to trusted networks or VPN-only paths until patched
- Rotate any API keys, secrets, and credentials stored in Flowise if administrator sessions may have been exposed
Patch Information
The issue is resolved in Flowise 3.0.5. Refer to the Flowise 3.0.5 release notes, the GitHub Security Advisory GHSA-964p-j4gg-mhwc, and the upstream fix pull request for details on the sanitization changes.
Workarounds
- Deploy a reverse proxy that strips HTML tags such as iframe and script from chat message payloads before they reach Flowise
- Enforce a strict Content Security Policy on the Flowise admin origin that blocks frame-src and inline script execution
- Avoid opening chat logs from untrusted or publicly exposed chatflows until upgrade is complete
# Upgrade Flowise via npm to the patched release
npm install -g flowise@3.0.5
# Or via Docker
docker pull flowiseai/flowise:3.0.5
docker stop flowise && docker rm flowise
docker run -d --name flowise -p 3000:3000 flowiseai/flowise:3.0.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

