CVE-2025-61913 | Flowise is a drag & drop user interface to build a customize… | CVSS 10.0 CRITICAL

Description

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.

Metadata

CVE ID: CVE-2025-61913
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2025-10-03 22:21 UTC
Published: 2025-10-08 22:43 UTC
Last updated: 2025-10-14 14:18 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: FlowiseAI / Flowise
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
FlowiseAI	Flowise	—	< 3.0.8

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (4)

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c
https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3 https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3
https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8 https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8