GHSA-964p-j4gg-mhwc: 
Flowise vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability (GHSA-964p-j4gg-mhwc, CVE-2025-50538) was discovered in FlowiseAI affecting versions below 3.0.8. The vulnerability allows attackers to inject arbitrary JavaScript code via message input in the FlowiseAI admin panel. The issue was discovered and disclosed on October 3, 2025, affecting the npm package 'flowise' (GitHub Advisory).

The vulnerability stems from inadequate input sanitization when displaying stored user messages in the admin interface. When an administrator views messages using the "View Messages" button in the workflow UI, malicious JavaScript code can be executed in the context of the admin's browser. The vulnerability has been assigned a CVSS v3.1 score of 9.3 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N, indicating network attack vector, low complexity, no privileges required, and user interaction required (NVD).

The vulnerability enables credential theft via access to localStorage and potentially leads to account takeover, admin privilege escalation, and full panel compromise. Any admin viewing messages in the FlowiseAI UI is at risk, with admin credentials and sensitive information stored in localStorage being the primary targets (GitHub Advisory).

The vulnerability has been patched in version 3.0.8. The fix includes the introduction of a SafeHTML component to sanitize and safely render HTML content in ViewMessagesDialog and NodeExecutionDetails components, replacing direct HTML rendering in the ChatMessage component for enhanced security (GitHub Release).