CVE-2025-29189 – Flowise versions up to 2.2.3 contain a SQL inje... (How to Fix)

Q: What is the severity of CVE-2025-29189?

CVE-2025-29189 has a CVSS score of 7.6 (HIGH). Flowise versions up to 2.2.3 contain a SQL injection vulnerability in the Postgres_VectorStores component via the tableName parameter. This allows attackers to execute arbitrary SQL commands on the database. Any organization using vulnerable Flowise versions with PostgreSQL vector stores is affected.

📋 TL;DR

Flowise versions up to 2.2.3 contain a SQL injection vulnerability in the Postgres_VectorStores component via the tableName parameter. This allows attackers to execute arbitrary SQL commands on the database. Any organization using vulnerable Flowise versions with PostgreSQL vector stores is affected.

💻 Affected Systems

Products:

Flowise

Versions: <= 2.2.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using PostgreSQL vector stores with the vulnerable Postgres_VectorStores component.

📦 What is this software?

Flowise by Flowiseai

View all CVEs affecting Flowise →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential database corruption or denial of service.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized. The provided references contain technical details that could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 2.2.3

Vendor Advisory: https://github.com/FlowiseAI/Flowise

Restart Required: Yes

Instructions:

1. Update Flowise to version >2.2.3. 2. Restart the Flowise service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for the tableName parameter to only allow alphanumeric characters and underscores.

Database User Privilege Reduction

all

Restrict database user permissions to only necessary operations (SELECT, INSERT, UPDATE) and remove DROP, CREATE, EXECUTE privileges.

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection rules
Isolate the vulnerable system from sensitive networks and databases

🔍 How to Verify

Check if Vulnerable:

Check Flowise version. If version <= 2.2.3 and using PostgreSQL vector stores, the system is vulnerable.

Check Version:

Check package.json or Flowise admin interface for version information

Verify Fix Applied:

Verify Flowise version is >2.2.3 and test the Postgres_VectorStores functionality with malicious input.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or parameter manipulation attempts in application logs

Network Indicators:

Unusual database connection patterns
Large data transfers from database server

SIEM Query:

source="flowise_logs" AND (tableName CONTAINS "'" OR tableName CONTAINS ";" OR tableName CONTAINS "--")

📊 Metadata

CVE ID: CVE-2025-29189

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-89

EPSS Score: 0.56% exploit probability (67.6th percentile)

Published: April 9, 2025

Last Updated: April 22, 2025

🔗 References

https://drive.google.com/file/d/1WHPslTmQmAM9xPJifULS2qAo7hcidB4L/view?usp=sharing Exploit,Issue Tracking,Third Party Advisory
https://drive.google.com/file/d/1WHPslTmQmAM9xPJifULS2qAo7hcidB4L/view?usp=sharing Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29189, you might also want to check these: