GHSA-9c4c-g95m-c8cp: 
JavaScript vulnerability analysis and mitigation

A SQL injection vulnerability (GHSA-9c4c-g95m-c8cp) was discovered in Flowise versions <= 2.2.7, affecting the import functions (importChatflows, importTools, importVariables). The vulnerability was published on April 7, 2025, and allows authenticated users to perform SQL injection attacks through insufficient validation of chatflow.id in the importChatflows API (GitHub Advisory).

The vulnerability stems from unsafe SQL query construction in the importChatflows API. When processing imported chatflows, the API directly incorporates user-supplied chatflow IDs into SQL queries without proper sanitization. The vulnerability manifests in two ways: through path traversal by adding '../' to chatflow.id, and through SQL injection when malicious SQL queries are passed to newChatflow.id. The CVSS score is 5.9 (Moderate), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (GitHub Advisory).

The vulnerability can lead to database leaks and lateral movement within the system. Attackers can potentially access sensitive information from the Flowise database, including credential tables. A successful exploitation demonstrated the ability to extract encrypted data and credential names from the database (GitHub Advisory).

It is recommended to limit all chatflow IDs and chat IDs to UUID format to prevent SQL injection attacks. As of the advisory publication, there is no patched version available (GitHub Advisory).

The vulnerability was addressed through a pull request (#4226) which was merged into the main branch of Flowise. The fix involves validating IDs for all imports to prevent SQL injection attacks (GitHub PR).