Plateforme
nodejs
Composant
lightning-flow-scanner
Corrigé dans
6.10.7
6.10.6
CVE-2025-67750 describes a Remote Code Execution (RCE) vulnerability within the lightning-flow-scanner component. This flaw allows an attacker to execute arbitrary JavaScript code by crafting malicious flow metadata files, potentially compromising developer workstations, CI/CD pipelines, and editor environments. The vulnerability affects versions prior to 6.10.6, and a patch has been released to address the issue.
The core of the vulnerability lies in the APIVersion rule's use of new Function() to evaluate expression strings. This allows an attacker to inject malicious JavaScript code into flow metadata files. When the scanner processes these files, the injected code is executed, granting the attacker control over the scanning process. This could lead to the execution of arbitrary commands on the system running the scanner, potentially allowing for data theft, system compromise, or further malicious activity. The blast radius extends to any environment where the scanner is used, including developer machines, CI/CD runners, and code editor environments, making it a significant security risk.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature and the ease of crafting malicious flow metadata suggest a potential for exploitation. The use of new Function() is a well-known attack vector, and the potential for remote code execution makes this a high-priority vulnerability to address.
Developers using lightning-flow-scanner in their development workflows are at significant risk. This includes teams utilizing CI/CD pipelines that incorporate the scanner, as well as developers using code editors or IDEs that integrate with the component. Shared hosting environments where multiple developers share the same instance of the scanner are particularly vulnerable.
• nodejs: Monitor process execution for unusual JavaScript activity. Use ps aux | grep node to identify running instances of lightning-flow-scanner. Examine the command-line arguments for suspicious flow metadata files.
• nodejs: Inspect the lightning-flow-scanner module's source code for the presence of new Function() calls, particularly within the APIVersion rule.
• generic web: If the scanner is exposed via a web interface, monitor access logs for requests containing unusual or malformed flow metadata. Look for POST requests to endpoints that process flow files.
• generic web: Check for unexpected JavaScript execution in the browser's developer console when interacting with the scanner's web interface.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 9%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-67750 is to upgrade to version 6.10.6 or later of the lightning-flow-scanner component. This version removes the vulnerable new Function() calls and replaces them with a safer parser that validates operators and performs numeric comparisons. If an immediate upgrade is not feasible, consider isolating the scanner from untrusted networks and carefully reviewing all flow metadata files before processing them. While a WAF or proxy cannot directly mitigate this vulnerability, strict input validation on flow metadata files can provide an additional layer of defense. After upgrading, confirm the fix by attempting to scan a flow containing a deliberately crafted malicious expression – it should be rejected by the parser.
Actualice la versión de lightning-flow-scanner a la versión 6.10.6 o superior. Esto se puede hacer a través de npm o yarn, dependiendo de su gestor de paquetes. Ejecute `npm install lightning-flow-scanner@latest` o `yarn upgrade lightning-flow-scanner` para obtener la versión corregida.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-67750 is a Remote Code Execution (RCE) vulnerability in lightning-flow-scanner where malicious flow metadata can trigger arbitrary JavaScript execution during scanning.
You are affected if you are using a version of lightning-flow-scanner prior to 6.10.6 and are processing untrusted flow metadata files.
Upgrade to version 6.10.6 or later of lightning-flow-scanner to remediate the vulnerability. This removes the vulnerable code and implements a safer parser.
While there are no confirmed reports of active exploitation, the vulnerability's nature and potential impact suggest a risk of exploitation.
Refer to the official lightning-flow-scanner project's release notes or security advisories for details on the fix and further information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.