AI description
CVE-2025-55346 involves an improper control of code generation, specifically a vulnerability in a dynamic Function constructor. User-controlled input flows to an unsafe implementation, which allows network attackers to run arbitrary, unsandboxed JavaScript code within the host's context. This is achieved by sending a simple POST request. The vulnerability allows a remote attacker to execute arbitrary JavaScript code without requiring any user interaction. This can lead to a complete system compromise, unauthorized access to sensitive data, manipulation of application functionality, and potential lateral movement within the network.
- Description
- User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.
- Source
- reefs@jfrog.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- reefs@jfrog.com
- CWE-94
- Hype score
- Not currently trending
Flowise JS vulnerability (CVE-2025-55346) occurs when user-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host via a crafted POST request. https://t.co/ccy
@Cloudforce_One
19 Aug 2025
27190 Impressions
4 Retweets
9 Likes
2 Bookmarks
1 Reply
1 Quote
AIプラットフォームFlowiseに重大(Critical)な脆弱性。CVE-2025-8943とCVE-2025-55346はCVSSスコア9.8。前者はOSコマンドインジェクションで後者はJavaScriptインジェクション。最新版で修正済み。 https://t.co/nQ5550v6hf
@__kokumoto
16 Aug 2025
678 Impressions
0 Retweets
2 Likes
2 Bookmarks
0 Replies
0 Quotes