Abstract

Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise.

Vulnerability Details

• Version tested: 3.0.13
• Installer file: https://github.com/FlowiseAI/Flowise
• Platform tested: Ubuntu 25.10

Analysis

This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM-generated Python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.

Product Information

FlowiseAI Flowise version 3.0.13 — https://github.com/FlowiseAI/Flowise

Setup Instructions

npm install -g flowise@3.0.13
npx flowise start

Root Cause Analysis

FlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP.

One such feature of Flowise is the ability to create chatflows. Chatflows use a drag-and-drop editor that allows a developer to place nodes which control how an interaction with an LLM will occur. One such node is the CSV Agent node that represents an Agent used to answer queries on a provided CSV file.

When a user makes a query against a chatflow using the CSV Agent node, the run method of the CSV_Agents class is called. This method first reads the contents of the CSV file passed to the node and converts it to a base64 string. It then sets up a pyodide environment and creates a Python script to be executed in this environment. This Python script uses pandas to extract the column names and their types from the provided CSV file. The method then creates a system prompt for an LLM using this data as follows:

You are working with a pandas dataframe in Python. The name of the dataframe is df.

The columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.
{dict}

I will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.

Security: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.

Question: {question}
Output Code:

Where {dict} is the extracted column names and {question} is the initial prompt provided by the user.

This system prompt is sent to an LLM in order for it to generate a Python script based on the user's prompt, and the LLM-generated response is stored in a variable named pythonCode. The method then evaluates the pythonCode variable in a pyodide environment.

While the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked before the script is executed on the server. The function validatePythonCodeForDataFrame() enumerates through a list named FORBIDDEN_PATTERNS, which contains pairs of regex patterns and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection.

The input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern /\bimport\s+(?!pandas|numpy\b)/g, which intends to search for lines of code that import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code:

import pandas as np, os as pandas
pandas.system("xcalc")

Here, pandas is imported, but so is the os module, with pandas as its alias. OS commands can then be invoked with pandas.system().

Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server.

It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker-controlled server in a chatflow. This server would respond to prompts with an attacker-controlled Python script instead of an LLM-generated response, which would then be evaluated on the server.

Relevant Source Code

packages/components/nodes/agents/CSVAgent/core.ts

import type { PyodideInterface } from 'pyodide'
import * as path from 'path'
import { getUserHome } from '../../../src/utils'

let pyodideInstance: PyodideInterface | undefined

export async function LoadPyodide(): Promise<PyodideInterface> {
    if (pyodideInstance === undefined) {
        const { loadPyodide } = await import('pyodide')
        const obj: any = { packageCacheDir: path.join(getUserHome(), '.flowise', 'pyodideCacheDir') }
        pyodideInstance = await loadPyodide(obj)
        await pyodideInstance.loadPackage(['pandas', 'numpy'])
    }

    return pyodideInstance
}

export const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df.

The columns and data types of a dataframe are given below as a Python`*
### References
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj
- https://nvd.nist.gov/vuln/detail/CVE-2026-41264