Impact
The vulnerability arises from the CSVAgent’s ability to execute custom Pandas CSV read code without sanitization. This allows an attacker to inject a command that is interpolated and executed by the server. As a result, the attacker can run arbitrary shell commands, compromising the confidentiality, integrity, and availability of the host. The weakness is a classic code injection flaw (CWE‑94).
Affected Systems
The flaw affects FlowiseAI’s Flowise front‑end and the flowise‑components set, specifically all releases prior to version 3.1.0. Any instance of these products that has not yet applied the 3.1.0 update is vulnerable.
Risk and Exploitability
With a CVSS score of 9.4 the vulnerability is considered critical. The EPSS score of 1% indicates that the likelihood of exploitation observed so far is low, yet the weakness remains serious due to the potential for full system compromise. The vulnerability is not yet listed in CISA’s Known Exploited Vulnerabilities catalog. The likely attack vector is an authenticated user with the ability to submit CSVAgent payloads; based on the description, it is inferred that authentication is required to trigger the code execution, as no public unauthenticated vector is described. Practically, a user with write access to flows can place malicious code in a CSV read routine and trigger execution on the server.
OpenCVE Enrichment
Github GHSA