CVE-2025-61913

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
GitHub_MCNA
10 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3
https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj