File Access Vulnerability in Flowise Drag & Drop Interface

CVE-2025-61913

What is CVE-2025-61913?

CVE-2025-61913 is a critical vulnerability identified in Flowise, a drag-and-drop user interface designed for building customized large language model flows. This vulnerability affects versions prior to 3.0.8 and is related to the WriteFileTool and ReadFileTool components, which fail to properly restrict file path access. As a result, authenticated attackers can exploit this flaw to read from and write arbitrary files on the file system. This could lead to severe security breaches, including the potential for remote command execution, allowing attackers to gain unauthorized control over affected systems. Organizations relying on Flowise for their operations may face significant risks, including data loss, unauthorized data manipulation, and compromised system integrity.

Potential impact of CVE-2025-61913

1. Unauthorized File Access: Attackers can exploit this vulnerability to gain access to sensitive files on the server, posing risks to data confidentiality and integrity.

2. Remote Code Execution: The ability for attackers to read and write arbitrary files may enable them to execute malicious code remotely, leading to total system compromise and further exploitation within the network.

3. Operational Disruption: The exploitation of this vulnerability can result in significant operational disruptions, leading to downtime or degraded performance of business-critical applications that rely on Flowise.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References