CVE-2025-61913

Sažetak

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.

Reference

https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3
https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj

CVSS

Base:	9.9
Impact:	6.0
Exploitability:	3.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Zadnje važnije ažuriranje

14-10-2025 - 15:16

Objavljeno

08-10-2025 - 23:15