CVE-2025-61913

CVSS v3.1

9.9

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.8

Description Flowise is a drag and drop user interface used to build customized large language model flows. Versions prior to 3.0.8 contain a flaw in the

WriteFileTool

and

ReadFileTool

components where file path access is not restricted. This allows authenticated attackers to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Approximately 12.7k potential targets have been identified. The issue involves unrestricted file path access within the

ReadFileTool

and

WriteFileTool

components, enabling attackers to pivot from file access.

Recommendations Update Flowise to version 3.0.8 or later.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2025-61913

GHSA-J44M-5V8F-GC9C

GHSA-JV9M-VF54-CHJJ

Affected Products

Flowise

CVE-2025-61913

Weakness Enumeration

Related Identifiers

Affected Products

References · 24