CVE-2025-61913
Gravedad CVSS v3.1:
CRÍTICA
Tipo:
CWE-22
Limitación incorrecta de nombre de ruta a un directorio restringido (Path Traversal)
Fecha de publicación:
08/10/2025
Última modificación:
20/10/2025
Descripción
*** Pendiente de traducción *** Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.
Impacto
Puntuación base 3.x
9.90
Gravedad 3.x
CRÍTICA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:* | 3.0.8 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3
- https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj