CVE-2025-71333
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk40th percentile — higher than 40% of all known CVEs
Summary
Flowise through version 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.
Risk Assessment
The risk for the organization includes the possibility of remote code execution by an unauthenticated attacker, which could lead to full server compromise and compromise of data confidentiality, integrity, and availability.
Recommendation
It is recommended to immediately upgrade Flowise to a version newer than 2.2.4 if available, or apply temporary mitigations such as disabling the /api/v1/attachments endpoint or restricting access to it via a firewall.
Original NVD description (English source)
Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

