CVE Catalog

CVE-2025-71338

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.61%

45th percentile — higher than 45% of all known CVEs

Summary

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

Risk Assessment

The risk for the organization includes potential full server compromise through remote code execution, which could lead to data theft, service disruption, or further attacks on the infrastructure.

Recommendation

It is recommended to immediately update Flowise to the latest version that fixes this vulnerability and implement file path validation to prevent path traversal attacks.

Original NVD description (English source)

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS