CVE-2025-71332 Overview
CVE-2025-71332 is a SQL injection vulnerability affecting Flowise through version 2.2.7. The flaw resides in the importChatflows API, where the chatflow.id value from an imported JSON file is concatenated unsanitized into a SQL IN clause. An authenticated user can submit a crafted import file containing arbitrary SQL in the id field, which the database then executes. Successful exploitation supports both blind and error-based extraction of data, including records from the credential table that stores sensitive integration secrets. The vulnerability is tracked under CWE-89: SQL Injection.
Critical Impact
Authenticated attackers can exfiltrate stored credentials and other sensitive database contents through crafted chatflow import files.
Affected Products
- Flowise versions up to and including 2.2.7
- The importChatflows API endpoint
- Deployments storing third-party credentials in the Flowise credential table
Discovery Timeline
- 2026-06-24 - CVE-2025-71332 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2025-71332
Vulnerability Analysis
Flowise is an open-source low-code platform for building LLM (Large Language Model) workflows. The importChatflows API accepts a JSON payload describing one or more chatflows to import into the application. Each chatflow object carries an id field that the backend uses to query whether the chatflow already exists.
The backend builds a SQL query by concatenating these id values directly into an IN (...) clause without parameterization or sanitization. Because the import payload is fully attacker-controlled, the id field becomes a direct sink for SQL injection. An attacker authenticated to the Flowise instance can replace the expected identifier with SQL syntax that closes the clause and appends arbitrary statements.
The injection supports blind boolean-based and error-based techniques. This enables full enumeration of database contents, with the credential table being the highest-value target because it holds API keys and tokens for integrated services.
Root Cause
The root cause is failure to use parameterized queries when constructing the lookup against user-supplied identifiers. Input validation on the id field is absent, so non-UUID values pass through to the query builder.
Attack Vector
Exploitation requires authenticated access to the Flowise instance and the ability to invoke importChatflows. The attacker crafts a JSON file where the chatflow id field contains a SQL payload, then submits it through the import API. The injected SQL executes with the privileges of the Flowise database user, which typically has full read and write access to all application tables, including credential.
No verified public exploit code is currently available. Refer to the VulnCheck SQL Injection Advisory and the GitHub Security Advisory for additional technical detail.
Detection Methods for CVE-2025-71332
Indicators of Compromise
- POST requests to /api/v1/chatflows/importchatflows containing JSON id fields with non-UUID characters such as quotes, parentheses, UNION, SELECT, or --.
- Database error messages or slow query patterns originating from the chatflow lookup query around the time of an import request.
- Unexpected reads against the credential table that do not correlate with normal application flow.
Detection Strategies
- Inspect application and reverse-proxy logs for importChatflows requests with oversized or malformed id values.
- Enable SQL query logging on the Flowise database and alert on queries containing concatenated IN clauses with suspicious tokens.
- Correlate authenticated user sessions performing imports with subsequent abnormal database activity.
Monitoring Recommendations
- Track all authenticated API calls to chatflow import endpoints, recording the requesting user, source IP, and payload size.
- Monitor egress from the Flowise host for unusual data volumes that could indicate credential exfiltration.
- Audit the credential table for read patterns outside expected runtime workflows.
How to Mitigate CVE-2025-71332
Immediate Actions Required
- Upgrade Flowise to a version newer than 2.2.7 that addresses the importChatflows injection once released by the maintainers.
- Restrict access to the Flowise application to trusted users and place the instance behind an authenticating reverse proxy.
- Rotate all credentials and API keys stored in the Flowise credential table if exposure is suspected.
- Disable or block the importChatflows endpoint at the proxy layer until a patched build is deployed.
Patch Information
Review the GitHub Security Advisory GHSA-9c4c-g95m-c8cp for the fixed version and patch commit. Apply the upstream fix that replaces string concatenation with parameterized queries for the chatflow id lookup.
Workarounds
- Block requests to /api/v1/chatflows/importchatflows at the web application firewall or reverse proxy.
- Limit which user roles can invoke import functionality and audit the existing user list for unused accounts.
- Run Flowise with a database account whose privileges are scoped to the minimum tables required, reducing the blast radius of any injection.
# Example NGINX block to disable the vulnerable endpoint until patched
location /api/v1/chatflows/importchatflows {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

