PRP: Flowise CVE-2025-55346 RCE

[mzfr]

• Identifier of the vulnerability: CVE-2025-55346
• Affected software: Flowise (npm package flowise, affected versions <= 2.2.7-patch.1)
• Type of vulnerability: Dynamic Function constructor / Eval injection → Remote Code Execution
• Requires authentication: No
• Language you would use for writing the plugin: Templated plugins
• Resources:
  • GitHub Advisory – GHSA-hmgh-466j-fx4c: GHSA-hmgh-466j-fx4c
  • NVD – CVE-2025-55346: https://nvd.nist.gov/vuln/detail/CVE-2025-55346
  • JFrog research writeup: https://research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925/
  • OSV entry: https://osv.dev/vulnerability/GHSA-hmgh-466j-fx4c

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team

[github-actions]

This message is addressed to the Tsunami panel.

Contributor stats

• The contributor has 1 issues tagged as main;
• The contributor has 1 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor

[github-actions]

This issue has been put in your contributor queue. This usually
means that you already are working on a contribution and the
panel is waiting for your other contributions to be fully
merged.

An issue in your queue is not pre-approved. Any issue that is
not explicitely approved by the panel will not be eligible for
a reward.

Unless there is an emergency, an issue in your queue cannot be
claimed by another contributor.

~The Tsunami PRP team