Platform
nodejs
Component
flowise
Fixed in
3.0.6
3.0.6
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Flowise, specifically within the /api/v1/fetch-links endpoint. This flaw allows attackers to leverage the Flowise server as a proxy, potentially gaining access to internal network resources and sensitive administrative interfaces. The vulnerability impacts Flowise versions up to 3.0.5, and a fix is available in version 3.0.6.
The SSRF vulnerability in Flowise allows an attacker to craft malicious requests that are executed by the Flowise server. Because the server acts as a proxy, the attacker can bypass network restrictions and access internal web services that would normally be inaccessible from the outside. This could include sensitive administrative panels, internal APIs, or other resources that contain confidential data. The potential impact extends to information disclosure, unauthorized access to internal systems, and potentially even the execution of arbitrary code if vulnerable internal services are exposed. Exploitation could reveal internal network topology and expose vulnerabilities in other internal systems.
This vulnerability was publicly disclosed on 2025-09-15. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it relatively easy to exploit. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. Given the ease of exploitation and potential impact, organizations should prioritize patching.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59527 is to upgrade Flowise to version 3.0.6 or later, which contains the fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the Flowise server to only necessary domains. Implement a Web Application Firewall (WAF) with rules to block requests to the /api/v1/fetch-links endpoint or filter requests based on URL patterns that could indicate SSRF exploitation. Monitor Flowise server logs for unusual outbound requests or connections to unexpected internal resources.
Update Flowise to version 3.0.6 or higher. This version contains a fix for the SSRF vulnerability in the /api/v1/fetch-links endpoint. The update will prevent attackers from using your server as a proxy to access internal network services.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59527 is a Server-Side Request Forgery (SSRF) vulnerability in Flowise versions up to 3.0.5, allowing attackers to use the server as a proxy to access internal resources.
You are affected if you are running Flowise version 3.0.5 or earlier. Upgrade to 3.0.6 or later to mitigate the risk.
Upgrade Flowise to version 3.0.6 or later. As a temporary workaround, restrict outbound network access or implement WAF rules.
While no active exploitation has been publicly confirmed, the SSRF nature of the vulnerability makes it easily exploitable, so proactive patching is recommended.
Refer to the Flowise project's official security advisories and release notes for details on this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.