GHSA-HMGH-466J-FX4C Flowise vulnerable to RCE via Dynamic function constructor injection

Summary User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host not sandboxed leading to RCE. Details When creating a new Custom MCP Chatflow in the platform, the MCP Server Config displays a...

EUVD-2024-3277

Malicious code in bioql PyPI...

PT-2025-39075

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6 Description A remote code execution issue exists in the CustomMCP node, which allows users to input configuration settings for connecting to an external Model Context Protocol MCP server. The node parses the...

CVE-2025-55346

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request...

Duplicate Advisory: Flowise vulnerable to RCE via Dynamic function constructor injection

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hmgh-466j-fx4c. This link is maintained to preserve external references. Original Description User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers...

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection due to the unsafe implementation of a dynamic Function constructor. An attacker can execute arbitrary JavaScript code on the server by sending a crafted POST request...

CVE-2025-55346

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request...

CVE-2025-55346

Flowise exposes a remote code execution vector via the CustomMCP tool: input from mcpServerConfig is passed into a dynamic Function constructor (Function('return '+ input)()) in the host context, which can access global process and Node.js modules. This allows arbitrary JS execution (RCE) when cr...

CVE-2025-55346 Unintended dynamic code execution leads to remote code execution by network attackers

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request...

CVE-2025-55346 Unintended dynamic code execution leads to remote code execution by network attackers

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request...

Flowise 安全漏洞

Flowise is a FlowiseAI open source tool for easily building LLM applications. A security vulnerability exists in Flowise that stems from user-controlled input flow to an insecure dynamic function constructor implementation that could lead to the execution of arbitrary non-sandboxed JS code in the...

Malicious code in ts-runtime-compat-check (npm)

The npm package ts-runtime-compat-check is a malicious package that functions as a key component in a remote code execution attack chain. This package: 1. Contains a postinstall script that executes lib/install.js 2. The install script makes HTTP requests to a server specified by an environment...

dom-iterator code execution vulnerability

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not...

GHSA-JRVM-MCXC-MF6M dom-iterator code execution vulnerability

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not...

CVE-2024-21541

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not...

CVE-2024-21541

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not...

CVE-2024-21541

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not...

CVE-2024-21541

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not...

CVE-2024-21541

CVE-2024-21541 affects the npm package dom-iterator prior to version 1.0.1 . The vulnerability stems from use of the Function constructor without complete input sanitization, allowing an attacker-controlled input to generate a new function body, with risks similar to eval. This is corroborated by...

PT-2024-18954 · Unknown · Dom-Iterator

Name of the Vulnerable Software and Affected Versions: dom-iterator versions prior to 1.0.1 Description: The issue is related to Arbitrary Code Execution due to the use of the Function constructor without complete input sanitization. This allows an attacker to generate a new function body, posing...