← Retour aux CVEs

CVE-2025-61913

CRITICAL

9.9

Description

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.

Details CVE

Score CVSS v3.19.9

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisLOW

Interaction utilisateurNONE

Publie10/8/2025

Derniere modification10/20/2025

Sourcenvd

Observations honeypot0

Produits affectes

flowiseai:flowise

Faiblesses (CWE)

CWE-22

References

https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3(security-advisories@github.com)

https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8(security-advisories@github.com)

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c(security-advisories@github.com)

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj(security-advisories@github.com)

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.