2397489 – (CVE-2025-59434) CVE-2025-59434 Flowise: Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function

Bug 2397489 (CVE-2025-59434) - CVE-2025-59434 Flowise: Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function

Summary: CVE-2025-59434 Flowise: Critical Multi-Tenant Variable Disclosure in Flowise ...

Keywords:
Status:	NEW
Alias:	CVE-2025-59434
Product:	Security Response
Classification:	Other
Component:	vulnerability-draft
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-22 20:01 UTC by OSIDB Bzimport
Modified:	2025-09-22 20:55 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-22 20:01:16 UTC

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScript Function node. This includes secrets such as OpenAI API keys, AWS credentials, Supabase tokens, and Google Cloud secrets — resulting in a full cross-tenant data exposure. This issue has been patched in the August 2025 Cloud-Hosted Flowise.

Note You need to log in before you can comment on or make changes to this bug.