{"data":{"id":"eabd879f-4e4f-44bf-9fba-ac98f2585dc5","title":"CVE-2025-59434: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Host","summary":"Flowise is a tool with a visual interface for building customized AI workflows. Before August 2025, free-tier users on Flowise Cloud could access sensitive secrets (like API keys for OpenAI, AWS, and Google Cloud) belonging to other users through a Custom JavaScript Function node, exposing data across different user accounts. This cross-tenant data exposure vulnerability has been patched in the August 2025 update.","solution":"Update to the August 2025 Cloud-Hosted Flowise version or later, which includes the patch for this vulnerability.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-59434","publishedAt":"2025-09-23T00:15:39.017Z","cveId":"CVE-2025-59434","cweIds":["CWE-200","CWE-284"],"cvssScore":"9.6","cvssSeverity":"critical","severity":"critical","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise","OpenAI","AWS","Supabase","Google Cloud"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00051,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-116"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}