PT-2025-50977 · Microsoft+2 · Vs Code Extension+2
Published
2025-12-12
·
Updated
2025-12-13
·
CVE-2025-67750
CVSS v3.1
8.4
High
| Vector | AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Lightning Flow Scanner versions 6.10.5 and below
Description
Lightning Flow Scanner, a CLI plugin, VS Code Extension, and GitHub Action for Salesforce Flow analysis and optimization, is affected by an issue where maliciously crafted flow metadata files can lead to arbitrary JavaScript execution during scanning. The
APIVersion rule utilizes new Function() to evaluate expression strings, allowing an attacker to inject a malicious expression within rule configuration or crafted flow metadata. This could potentially compromise developer machines, CI runners, or editor environments.Recommendations
Update to version 6.10.6 or later.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Actions
Lightning-Flow-Scanner
Vs Code Extension