CVE Catalog

CVE-2025-71333

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.52%

40th percentile — higher than 40% of all known CVEs

Summary

Flowise through version 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

Risk Assessment

The risk for the organization includes the possibility of remote code execution by an unauthenticated attacker, which could lead to full server compromise and compromise of data confidentiality, integrity, and availability.

Recommendation

It is recommended to immediately upgrade Flowise to a version newer than 2.2.4 if available, or apply temporary mitigations such as disabling the /api/v1/attachments endpoint or restricting access to it via a firewall.

Original NVD description (English source)

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS