CVE-2025-59527: Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side
highvulnerability
security
Summary
Flowise version 3.0.5 contains a Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick the server into making requests to internal networks on their behalf) in the /api/v1/fetch-links endpoint, allowing attackers to use the Flowise server as a proxy to access and explore internal web services. This vulnerability was patched in version 3.0.6.
Solution / Mitigation
Update to version 3.0.6, which contains the patch for this vulnerability.
Vulnerability Details
CVSS Score
7.5(high)
EPSS (30-day exploit probability)
EPSS: 0.1%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
LangChain
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-59527
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 92%