Platform
nodejs
Component
flowise
Fixed in
3.0.9
3.0.8
CVE-2025-61913 describes a critical Arbitrary File Access vulnerability discovered in Flowise, a low-code AI application development platform. This vulnerability allows authenticated attackers to write arbitrary files to the server's file system, potentially enabling remote command execution. The vulnerability affects versions 3.0.0 through 3.0.7 and has been resolved in version 3.0.8.
The core of the vulnerability lies within the WriteFileTool component of Flowise, designed to handle large model files. Due to insufficient file path restrictions, an authenticated attacker can manipulate this tool to write files to any location on the server's file system. This is a significant risk because an attacker could overwrite critical system files, inject malicious code, or gain persistent access to the system. Successful exploitation could lead to complete system compromise, data exfiltration, and denial of service. The potential for remote command execution elevates the severity to critical, as it bypasses typical access controls.
This vulnerability was publicly disclosed on 2025-10-09. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the potential for remote command execution suggest a high likelihood of exploitation. The CVSS score of 9.9 (CRITICAL) reflects the severity of the vulnerability. It is not currently listed on CISA KEV, but its criticality warrants close monitoring.
Exploit Status
EPSS
0.70% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade Flowise to version 3.0.8 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the WriteFileTool component to only trusted users and processes. Implement strict file system permissions to limit the attacker's ability to write to sensitive directories. Consider using a Web Application Firewall (WAF) to filter requests containing potentially malicious file paths. Regularly monitor system logs for suspicious file access activity.
Actualice Flowise a la versión 3.0.8 o superior. Esta versión corrige la vulnerabilidad de lectura y escritura arbitraria de archivos. La actualización se puede realizar a través del gestor de paquetes npm o yarn, o descargando la última versión desde el repositorio oficial.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61913 is a critical vulnerability in Flowise allowing authenticated attackers to write arbitrary files, potentially leading to remote command execution. It affects versions 3.0.0 through 3.0.7.
If you are running Flowise versions 3.0.0 through 3.0.7, you are vulnerable. Check your deployment and upgrade immediately.
Upgrade Flowise to version 3.0.8 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement temporary workarounds like restricting access and tightening file permissions.
While no public exploit is currently available, the vulnerability's criticality and ease of exploitation suggest a high likelihood of exploitation. Monitor your systems closely.
Refer to the Flowise project's official security advisory for detailed information and updates: [https://flowise.ai/security](https://flowise.ai/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.