CVE-2025-61913

moderate-risk

Published 2025-10-08

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.

Do I need to act?

0.70% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: ac794ab6eb8025144d044013f75b07c75ca938b8

CVSS 9.9/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Flowise

Affected Vendors

Flowiseai

References (6)

Patch https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d...

Release Notes https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8

Exploit https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c

Exploit https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj

Exploit https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c

Exploit https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj

/ 100

moderate-risk

Severity 33/34 · Critical

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal