CVE-2025-61913

Опубликовано: 08 окт. 2025

Источник: nvd

CVSS3: 9.9

EPSS Низкий

Описание

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.

Ссылки

https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3
Patch
https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8
Release Notes
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c
Exploit
Vendor Advisory
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj
Exploit
Vendor Advisory
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c
Exploit
Vendor Advisory
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*

Версия до 3.0.8 (исключая)

EPSS

Процентиль: 75%

0.009

Низкий

9.9 Critical

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-jv9m-vf54-chjj