CVE-2025-57164 – CVE-2025-57164 allows remote code execution in ... (How to Fix)

Q: What is the severity of CVE-2025-57164?

CVE-2025-57164 has a CVSS score of 6.5 (MEDIUM). CVE-2025-57164 allows remote code execution in Flowise AI platforms through unsanitized user input in the Supabase RPC Filter field. Attackers can execute arbitrary code on vulnerable Flowise instances. All Flowise deployments up to version 3.0.4 are affected.

📋 TL;DR

CVE-2025-57164 allows remote code execution in Flowise AI platforms through unsanitized user input in the Supabase RPC Filter field. Attackers can execute arbitrary code on vulnerable Flowise instances. All Flowise deployments up to version 3.0.4 are affected.

💻 Affected Systems

Products:

Flowise AI

Versions: All versions through v3.0.4

Operating Systems: All platforms running Flowise

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any Flowise deployment using Supabase RPC Filter functionality.

📦 What is this software?

Flowise by Flowiseai

View all CVEs affecting Flowise →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Unauthorized code execution leading to data exfiltration, credential theft, or deployment of backdoors.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially preventing code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to Flowise interface and knowledge of the vulnerable field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.0.5 or later

Vendor Advisory: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7944-7c6r-55vv

Restart Required: No

Instructions:

1. Update Flowise to version 3.0.5 or later. 2. Run 'npm update' in Flowise directory. 3. Restart Flowise service.

🔧 Temporary Workarounds

Disable Supabase RPC Filter

all

Temporarily disable or restrict access to the vulnerable Supabase RPC Filter functionality.

Input Validation Rules

all

Implement strict input validation for all user-supplied data in Flowise configuration.

🧯 If You Can't Patch

Network segmentation to isolate Flowise instances from critical systems
Implement strict access controls and authentication for Flowise interface

🔍 How to Verify

Check if Vulnerable:

Check Flowise version - if version is 3.0.4 or earlier, system is vulnerable.

Check Version:

Check package.json or run 'npm list flowise' in Flowise directory

Verify Fix Applied:

Verify Flowise version is 3.0.5 or later and test Supabase RPC Filter functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns
Suspicious input in Supabase-related logs
Error messages related to code evaluation

Network Indicators:

Unexpected outbound connections from Flowise server
Unusual data exfiltration patterns

SIEM Query:

source="flowise" AND ("Supabase" OR "RPC" OR "eval") AND (error OR suspicious)

📊 Metadata

CVE ID: CVE-2025-57164

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-77

EPSS Score: 0.16% exploit probability (37.1th percentile)

Published: October 17, 2025

Last Updated: October 23, 2025

🔗 References

https://github.com/FlowiseAI/Flowise Product
https://github.com/FlowiseAI/Flowise/blob/main/packages/components/nodes/vectorstores/Supabase/Supabase.ts#L237 Product
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-7944-7c6r-55vv Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57164, you might also want to check these: