CVE-2025-61913

CVE-2025-61913 is a path traversal vulnerability (CWE-22) affecting the WriteFileTool and ReadFileTool components in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. Versions of Flowise prior to 3.0.8 fail to restrict file path access in these tools, enabling unauthorized file operations. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows reading and writing arbitrary files to any path on the file system, which can lead to remote command execution by targeting critical system files or scripts.

Flowise addressed this issue in version 3.0.8, as detailed in the project's security advisories (GHSA-j44m-5v8f-gc9c and GHSA-jv9m-vf54-chjj) and the fixing commit (1fb12cd93143592a18995f63b781d25b354d48a3). Security practitioners should update to Flowise 3.0.8 or later to mitigate the risk, per the release notes.

This vulnerability is particularly relevant in AI/ML environments, as Flowise is designed for LLM workflow orchestration, potentially exposing deployments handling sensitive model data or configurations to filesystem compromise. No public evidence of real-world exploitation has been reported as of the CVE publication on 2025-10-08.