Vulnerability Description
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. This issue has been patched in version 3.0.6.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Flowiseai | Flowise | 3.0.5 |
Related Weaknesses (CWE)
References
- https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81Product
- https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81Product
- https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81Product
- https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6Release Notes
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hr92-4q35-4j3mExploitVendor Advisory
FAQ
What is CVE-2025-59527?
CVE-2025-59527 is a vulnerability with a CVSS score of 7.5 (HIGH). Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links ...
How severe is CVE-2025-59527?
CVE-2025-59527 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-59527?
Check the references section above for vendor advisories and patch information. Affected products include: Flowiseai Flowise.