CRITICAL🇵🇱 Wersja polska

CVE-2025-71338

CVSS 10.0v4.0pub. 2026-06-25upd. 2026-07-01

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

🤖 AI Analysis
How it works

The attacker sends a request to the /api/v1/document-store/loader/process endpoint, passing path traversal sequences (../) in the fileName parameter without requiring authentication. The lack of sanitization of the fileName parameter allows exiting the permitted directory and overwriting arbitrary files in the file system — including critical application files such as package.json. After overwriting a key file and restarting the application, malicious code is executed by the server, resulting in RCE being obtained.

Impact

An attacker can gain full control over the server through RCE, which includes the ability to steal data, install backdoors, perform lateral movement in the network, and completely compromise the environment in which Flowise is running.

Mitigation & patch

Security patches available from the vendor should be applied according to the references (GitHub Security Advisory GHSA-8vvx-qvq9-5948). Until the update is applied, it is recommended to restrict access to the /api/v1/document-store/loader/process endpoint at the firewall or reverse proxy level and enforce authentication before reaching the application.

Who is affected

Flowise application — versions indicated in the vendor's references (affects network-accessible instances without an additional authentication layer).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Flowiseai Flowise

    APP
    Flowiseai
    ≤ 3.1.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath TraversalAuth Bypass
CWE
References

Related vulnerabilities

CVE-2025-71336CRITICAL9.3PL ✓ten sam produkt

RCE w Flowise — command injection przez endpoint Custom MCP

CVE-2025-71327CRITICAL9.3PL ✓ten sam produkt

Flowise – Authentication Bypass przez niezabezpieczony endpoint rejestracji

CVE-2025-71333CRITICAL9.3PL ✓ten sam produkt

Flowise – nieuwierzytelniony upload plików z path traversal umożliwiający RCE

CVE-2025-71334CRITICAL9.3PL ✓ten sam produkt

Flowise – path traversal umożliwiający zapis/odczyt plików i RCE (bez uwierzytelnienia)

CVE-2026-46440CRITICAL9.1PL ✓ten sam produkt

Flowise: niebezpieczna walidacja danych uwierzytelniających w endpoincie checkBasicAuth