CVE-2025-61687 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Flowise 3.0.7 performs zero validation on uploaded files — no extension checks, no MIME type inspection, no content scanning — allowing any authenticated user to upload a Node.js web shell that persists on the server and exposes HTTP endpoints for arbitrary OS command execution. With a CVSS of 8.8, network-accessible attack vector, low complexity, and a public PoC already circulating, exploitation requires minimal skill; the fact that Flowise has accumulated 16 CVEs in the same package signals a pattern of systemic insecure development that compounds urgency. No patched version exists as of publication, making this an active zero-day for every Flowise deployment in production. Immediately disable or block file upload endpoints via reverse proxy rules, audit existing upload directories for executable files (.js, .sh, .py), isolate Flowise from sensitive internal networks, and monitor HTTP access logs for shell invocation patterns until the vendor releases a patch.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

High risk with elevated urgency due to zero-day status. CVSS 8.8 with network-accessible, low-complexity exploitation requiring only low privileges places this within reach of any authenticated user — including compromised accounts. Flowise is commonly deployed as an AI agent orchestration server with privileged access to LLM APIs, databases, internal tools, and environment secrets, meaning post-exploitation blast radius extends well beyond the host. The public PoC shortens the window between awareness and active exploitation. The 16-CVE history in the same package suggests patching cadence may be slow.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

No patch available — treat as active zero-day requiring immediate containment.
Block or disable file upload endpoints at the reverse proxy level (restrict /api/v1/attachments and related routes) if attachment functionality is not operationally required.
Audit the Flowise uploads/storage directory for any .js, .sh, .py, .php, or other executable files not placed there by administrators.
Restrict Flowise access to trusted authenticated users only; enforce MFA where possible and rotate all Flowise account credentials.
Segment Flowise servers from internal networks — no direct inbound internet exposure, no broad internal access.
Monitor HTTP access logs for GET requests targeting uploaded file paths or unexpected subprocess execution patterns.
Consider taking publicly exposed instances offline until a vendor patch is released.
Subscribe to FlowiseAI GitHub Security Advisories (GHSA-35g6-rrw3-v6xc) for patch notification.

Classification

Code Execution Data Leakage Supply Chain Agent Framework AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell AML.T0079 - Stage Capabilities AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system risk management process

NIST AI RMF

MANAGE 2.2 - Mechanisms exist to sustain the value and manage risk of deployed AI systems over their operational lifetime

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. A file upload vulnerability in version 3.0.7 of FlowiseAI allows authenticated users to upload arbitrary files without proper validation. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). The system fails to validate file extensions, MIME types, or file content during uploads. As a result, malicious scripts such as Node.js-based web shells can be uploaded and stored persistently on the server. These shells expose HTTP endpoints capable of executing arbitrary commands if triggered. The uploaded shell does not automatically execute, but its presence allows future exploitation via administrator error or chained vulnerabilities. This presents a high-severity threat to system integrity and confidentiality. As of time of publication, no known patched versions are available.

Exploitation Scenario

An attacker with a low-privilege Flowise account — obtained via credential stuffing leveraging one of Flowise's prior 16 CVEs, phishing, or simple weak credential abuse — navigates to the file attachment upload feature within a chatflow. They upload a minimal Node.js web shell (e.g., a .js file using the 'child_process' module to execute shell commands passed via HTTP query parameters). The server stores the file without any validation. The attacker identifies the persistent file path from the API response. Via a second trigger — such as a misconfigured static file server route, a path traversal in another endpoint, or social engineering an admin into loading the file — the shell executes with the Flowise process privileges. The attacker then reads the .env file to harvest all LLM API keys and database connection strings, establishes a reverse shell for persistent access, and pivots laterally through the AI agent infrastructure to downstream connected services.