CVE-2025-29189

Description

Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores.

How to fix CVE-2025-29189

To remediate CVE-2025-29189, upgrade the affected package to a fixed version below.

• npm/flowise-components—upgrade to 2.2.4 or later

Is CVE-2025-29189 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.2.4

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-29189
• PATCHgithub.com/FlowiseAI/Flowise
• WEBdrive.google.com/file/d/1WHPslTmQmAM9xPJifULS2qAo7hcidB4L/view?usp=sharing
• WEBgithub.com/FlowiseAI/Flowise/commit/9a417bdc95f58d6dd92cbf60dad42414aba34754