Unrestricted Upload Vulnerability in Total.js Flow's SVG File Handler
CVE-2025-11655

5.1MEDIUM

Key Information:

Vendor

Total.js

Status
Flow
Vendor
CVE Published:
13 October 2025

What is CVE-2025-11655?

A security flaw has been identified in Total.js Flow related to its SVG File Handler component. This vulnerability enables attackers to perform unrestricted file uploads, which can potentially be exploited remotely. The continuous delivery process utilized by the product means that detailed version information regarding affected releases is sparse. Despite early notification to the vendor regarding this issue, no response has been received, highlighting the urgency for users to assess their security posture regarding this vulnerability.

Affected Version(s)

Flow 673ef9144dd25d4f4fd4fdfda5af27f230198924

References

https://vuldb.com/?id.328072
vdb-entry
https://vuldb.com/?ctiid.328072
signaturepermissions-required
https://vuldb.com/?submit.665479
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Edcarlos (VulDB User)
JSON
.
CVE-2025-11655 : Unrestricted Upload Vulnerability in Total.js Flow's SVG File Handler