Platform
nodejs
Component
lightning-flow-scanner
Fixed in
6.10.7
6.10.6
CVE-2025-67750 describes a Remote Code Execution (RCE) vulnerability within the lightning-flow-scanner component. This flaw allows an attacker to execute arbitrary JavaScript code by crafting malicious flow metadata files, potentially compromising developer workstations, CI/CD pipelines, and editor environments. The vulnerability affects versions prior to 6.10.6, and a patch has been released to address the issue.
The core of the vulnerability lies in the APIVersion rule's use of new Function() to evaluate expression strings. This allows an attacker to inject malicious JavaScript code into flow metadata files. When the scanner processes these files, the injected code is executed, granting the attacker control over the scanning process. This could lead to the execution of arbitrary commands on the system running the scanner, potentially allowing for data theft, system compromise, or further malicious activity. The blast radius extends to any environment where the scanner is used, including developer machines, CI/CD runners, and code editor environments, making it a significant security risk.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature and the ease of crafting malicious flow metadata suggest a potential for exploitation. The use of new Function() is a well-known attack vector, and the potential for remote code execution makes this a high-priority vulnerability to address.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67750 is to upgrade to version 6.10.6 or later of the lightning-flow-scanner component. This version removes the vulnerable new Function() calls and replaces them with a safer parser that validates operators and performs numeric comparisons. If an immediate upgrade is not feasible, consider isolating the scanner from untrusted networks and carefully reviewing all flow metadata files before processing them. While a WAF or proxy cannot directly mitigate this vulnerability, strict input validation on flow metadata files can provide an additional layer of defense. After upgrading, confirm the fix by attempting to scan a flow containing a deliberately crafted malicious expression – it should be rejected by the parser.
Actualice la versión de lightning-flow-scanner a la versión 6.10.6 o superior. Esto se puede hacer a través de npm o yarn, dependiendo de su gestor de paquetes. Ejecute `npm install lightning-flow-scanner@latest` o `yarn upgrade lightning-flow-scanner` para obtener la versión corregida.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67750 is a Remote Code Execution (RCE) vulnerability in lightning-flow-scanner where malicious flow metadata can trigger arbitrary JavaScript execution during scanning.
You are affected if you are using a version of lightning-flow-scanner prior to 6.10.6 and are processing untrusted flow metadata files.
Upgrade to version 6.10.6 or later of lightning-flow-scanner to remediate the vulnerability. This removes the vulnerable code and implements a safer parser.
While there are no confirmed reports of active exploitation, the vulnerability's nature and potential impact suggest a risk of exploitation.
Refer to the official lightning-flow-scanner project's release notes or security advisories for details on the fix and further information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.