Skip to main content

Flowise CVE-2025-71334

| EUVDEUVD-2025-210340 CRITICAL
External Control of File Name or Path (CWE-73)
2026-06-25 VulnCheck GHSA-w5r9-j49j-2m55
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Unauthenticated network endpoints (PR:N, AV:N, AC:L) allow arbitrary file read and write leading to RCE, giving high confidentiality, integrity, and availability impact with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 22:33 vuln.today
Analysis Generated
Jun 25, 2026 - 22:33 vuln.today

DescriptionCVE.org

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value (e.g., '../../../../../tmp') as the chatflow id, an unauthenticated attacker can use the /api/v1/chatflows endpoint (via addBase64FilesToStorage) to write arbitrary files, and the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints (via streamStorageFile) to read arbitrary files. Arbitrary file write may lead to remote code execution.

AnalysisAI

Arbitrary file read and write in FlowiseAI Flowise (versions 2.2.8 through 3.0.5) lets remote unauthenticated attackers traverse the filesystem because the chatflowId and chatId parameters are never validated as UUIDs or numbers. By supplying a path-traversal value such as '../../../../../tmp' as the chatflow id, an attacker can write controlled files via the /api/v1/chatflows endpoint and read arbitrary files via /api/v1/get-upload-file and /api/v1/openai-assistants-file/download - and the file-write primitive can be escalated to remote code execution. A proof-of-concept is published in the GHSA advisory, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.

Technical ContextAI

Flowise is an open-source, low-code drag-and-drop builder for LLM/agent workflows built on Node.js/TypeScript. The flaw lives in packages/components/src/storageUtils.ts, where storage keys and on-disk paths are assembled by concatenating user-supplied identifiers: addBase64FilesToStorage builds path.join(getStoragePath(), chatflowid) for writes, and streamStorageFile builds chatflowId + '/' + chatId + '/' + fileName (or path.join for local disk) for reads. While filenames were sanitized, the chatflowId/chatId path components were not constrained to UUID/number format, so '../' sequences escape the storage directory on both local disk and S3-style object stores (where '../' is treated as a relative key per AWS guidance). This is a textbook CWE-73 (External Control of Filename or Path) issue; the affected component is identified by CPE cpe:2.3:a:flowise:flowise:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to Flowise 3.0.6 or later, which adds UUID/number validation and filename sanitization via the sanitize-filename library (Vendor-released patch: 3.0.6), as delivered in commits 8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and c2b830f279e454e8b758da441016b2234f220ac7. Until you can patch, do not expose Flowise directly to untrusted networks: place it behind an authenticating reverse proxy or VPN and restrict or block external access to the affected endpoints (/api/v1/chatflows, /api/v1/get-upload-file, and /api/v1/openai-assistants-file/download), accepting that blocking these will break upload and file-download functionality for legitimate users. You can also add a WAF/proxy rule rejecting requests whose chatflowId/chatId path parameters contain '../' or are not valid UUIDs/numbers, and run the service as a low-privilege account on a constrained storage path to limit blast radius. Details: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

CVE-2025-71334 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy