File Upload Vulnerability in FlowiseAI Affects File Management
CVE-2025-61687

8.3HIGH

Key Information:

Vendor

Flowiseai

Status
Flowise
Vendor
CVE Published:
6 October 2025

What is CVE-2025-61687?

FlowiseAI, a platform designed to facilitate the creation of customized large language model workflows, contains a file upload vulnerability in version 3.0.7. Authenticated users can exploit this flaw to upload arbitrary files without appropriate validation checks. This oversight means that attackers can store malicious Node.js web shells on the server, leading to potential Remote Code Execution (RCE). The system inadequately validates file extensions, MIME types, and the content of uploaded files, creating an avenue for persistent threats. Although the malicious files do not execute automatically, their presence on the server can be exploited later, especially due to possible administrative errors or additional vulnerabilities. This vulnerability represents a significant threat to the integrity and confidentiality of the affected system.

Affected Version(s)

Flowise = 3.0.7

References

https://github.com/FlowiseAI/Flowise/security/advisories/...
x_refsource_CONFIRM
https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4b...
x_refsource_MISC
https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4b...
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61687 : File Upload Vulnerability in FlowiseAI Affects File Management