Total.js Flow CVE-2025-11655
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in Total.js Flow up to 673ef9144dd25d4f4fd4fdfda5af27f230198924. The impacted element is an unknown function of the component SVG File Handler. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper access control in Total.js Flow SVG File Handler allows high-privileged remote attackers to upload files without proper restrictions, bypassing upload security controls. The vulnerability affects versions up to commit 673ef9144dd25d4f4fd4fdfda5af27f230198924 and has public exploit code available, though real-world exploitation risk is constrained by the requirement for administrative privileges (PR:H in CVSS vector) and minor confidentiality/integrity impact.
Technical ContextAI
The vulnerability resides in the SVG File Handler component of Total.js Flow, a JavaScript-based workflow and business logic platform. The root cause is CWE-284 (Improper Access Control), indicating that the file upload mechanism fails to properly enforce authorization checks on SVG file uploads. The SVG handler, typically used for image processing or validation workflows, does not restrict upload operations even when initiated by remote network access, creating a potential attack surface for authenticated administrators. The issue is exacerbated by Total.js Flow's rolling-release model, which obscures traditional versioning and patch tracking.
Affected ProductsAI
Total.js Flow is affected through commit 673ef9144dd25d4f4fd4fdfda5af27f230198924. Because the product uses continuous delivery with rolling releases, traditional version numbering is unavailable. The vendor has not released explicit patched version identifiers. Users should track the Total.js Flow repository for commits after the reported vulnerable hash, and review any security advisories on the official Total.js GitHub organization.
RemediationAI
No vendor-released patch with explicit version number identified at time of analysis due to rolling-release model. Immediate remediation requires: (1) Update Total.js Flow to the latest commit after 673ef9144dd25d4f4fd4fdfda5af27f230198924 by pulling the latest changes from the official Total.js Flow repository; (2) Review and restrict administrative access in your deployment - limit the number of accounts with File Handler management permissions; (3) Implement network-level access controls to the Total.js Flow administrative interface, restricting SVG upload endpoints to trusted internal networks only; (4) Enable file type validation and MIME-type checking on all upload handlers, rejecting SVG uploads that deviate from expected structure; (5) Monitor upload logs for suspicious SVG file submissions from administrative accounts. As a temporary compensating control pending an upstream fix, disable the SVG File Handler feature if it is not critical to your workflows, though this may impact dependent processes.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today