CVE-2025-71331 Overview
CVE-2025-71331 is a cross-site scripting (XSS) vulnerability affecting Flowise versions before 3.0.8. The flaw stems from insufficient input filtering in chat messages and custom agent functions. Attackers can inject malicious JavaScript through <iframe> payloads delivered in chat boxes or returned from custom agent functions that fetch content from external websites. When a victim views the response, the injected script executes in their browser context. This enables theft of cookies, session tokens, and other browser-accessible data. The vulnerability is tracked under [CWE-80] (Improper Neutralization of Script-Related HTML Tags in a Web Page).
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser session, stealing cookies and session data to hijack authenticated Flowise sessions.
Affected Products
- FlowiseAI Flowise versions prior to 3.0.8
- Flowise deployments exposing chat interfaces to untrusted users
- Flowise instances using custom agent functions that return external content
Discovery Timeline
- 2026-06-20 - CVE-2025-71331 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2025-71331
Vulnerability Analysis
Flowise is an open-source low-code platform used to build large language model (LLM) applications and AI agent workflows. The vulnerable code paths fail to sanitize or encode HTML content submitted through chat messages and content returned by custom agent functions. Because the chat interface renders responses as HTML, an attacker can supply markup containing javascript: URI schemes inside <iframe> tags. The browser parses the iframe element and executes the embedded JavaScript in the origin of the Flowise application. A second exploitation path arises when a custom agent function retrieves data from an attacker-controlled external website. Returned XSS payloads pass through the same unsafe rendering pipeline, executing in the context of any user who triggers that agent flow.
Root Cause
The root cause is missing output encoding and inadequate HTML sanitization in the chat rendering layer. User-controlled strings and agent-returned content reach the DOM without stripping dangerous elements such as <iframe>, <script>, or event handler attributes. The component falls under [CWE-80], reflecting failure to neutralize script-related HTML tags.
Attack Vector
Exploitation requires network access to a Flowise chat endpoint and user interaction with the affected interface. An attacker can submit an iframe payload such as <iframe src="javascript:alert(document.cookie)"> directly into a chat box. Alternatively, they can host an XSS payload on a third-party site that a custom agent function fetches and returns. When a Flowise user views the response, the script executes with the privileges of that user's browser session.
No verified public proof-of-concept code is published. See the VulnCheck Advisory - XSS in Flowise for additional technical context.
Detection Methods for CVE-2025-71331
Indicators of Compromise
- Chat message logs containing <iframe, javascript:, onerror=, or <script substrings submitted to Flowise endpoints.
- Outbound HTTP requests from Flowise to unexpected external domains initiated by custom agent functions.
- Unexpected document.cookie or fetch() activity originating from the Flowise web origin in browser telemetry.
Detection Strategies
- Inspect Flowise application logs and reverse proxy access logs for chat payloads containing HTML tags or javascript: URIs.
- Deploy a web application firewall (WAF) rule that flags requests to /api/v1/prediction and chat APIs containing iframe or script markup.
- Review custom agent function configurations for HTTP requests to untrusted third-party endpoints.
Monitoring Recommendations
- Forward Flowise application and reverse proxy logs to a centralized analytics platform and alert on suspicious HTML in chat fields.
- Monitor authentication events for session reuse from unexpected IP addresses, indicating possible cookie theft.
- Track new or modified custom agent functions and audit the external URLs they contact.
How to Mitigate CVE-2025-71331
Immediate Actions Required
- Upgrade Flowise to version 3.0.8 or later on all production and development deployments.
- Restrict chat interface access to authenticated, trusted users while patching is in progress.
- Audit existing custom agent functions and disable any that fetch content from untrusted external sources.
Patch Information
The vendor addressed the vulnerability in Flowise 3.0.8. Patch details and remediation guidance are published in the GitHub Security Advisory GHSA-4fr9-3x69-36wv.
Workarounds
- Place Flowise behind a reverse proxy configured with a strict Content Security Policy (CSP) that disallows inline scripts and javascript: URIs.
- Filter or block chat submissions containing HTML tags such as <iframe>, <script>, and event handler attributes at the WAF layer.
- Limit custom agent functions to a vetted allowlist of external domains until the upgrade is applied.
# Example nginx Content Security Policy header for Flowise reverse proxy
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; frame-src 'none'; object-src 'none'; base-uri 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

