CVE-2025-71333 | Flowise through 2.2.4 contains an unauthenticated arbitrary … | CVSS 9.3 CRITICAL

Description

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

Metadata

CVE ID: CVE-2025-71333
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 01:48 UTC
Published: 2026-06-25 21:41 UTC
Last updated: 2026-06-25 21:41 UTC
Primary CWE: CWE-73
External Control of File Name or Path
Vendor / Product: Flowise / Flowise
Sources: cve.org · NVD

Severity & Metrics

9.3 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
Flowise	Flowise	—	0 ≤ 2.2.4

Weakness (CWE)

CWE	Source	Description
CWE-73	cna	External Control of File Name or Path

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

GitHub Security Advisory (GHSA-h42x-xx2q-6v6g) https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g
VulnCheck Advisory: Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint https://www.vulncheck.com/advisories/flowise-arbitrary-file-upload-via-unauthenticated-api-v1-attachments-endpoint