CVE-2025-61913: Flowise: path traversal in file tools leads to RCE
CRITICAL PoC AVAILABLE CISA: ATTENDFlowise's built-in WriteFileTool and ReadFileTool — agent-accessible tools in the drag-and-drop LLM workflow builder — perform no path sanitization, allowing any authenticated user (low privilege) to read or write arbitrary files anywhere on the host filesystem, with a direct path to remote code execution. The CVSS score of 9.9 reflects the full scope impact (S:C): a single compromised Flowise instance can expose all credentials, configurations, and AI pipeline data on the host, and write-access means attackers can plant webshells or overwrite critical system files. A public proof-of-concept exploit exists and there are 16 CVEs in this package's history, indicating a pattern of security debt — treat this as actively exploitable. Patch to Flowise 3.0.8 immediately; if immediate patching is not feasible, disable WriteFileTool and ReadFileTool in all flows via the node configuration and restrict Flowise to isolated, sandboxed environments with no access to host credentials or sensitive paths.
What is the risk?
Risk is CRITICAL. CVSS 9.9 with network-accessible, low-complexity, low-privilege attack vector and full confidentiality/integrity/availability impact with scope change. A public PoC lowers the bar to script-kiddie level. Flowise is widely deployed by teams building LLM workflows — many deployments expose the UI to internal networks or even the internet. The combination of arbitrary file read (credential harvesting, .env exfiltration, API key theft) and arbitrary file write (webshell deployment, config poisoning, cron-based persistence) makes this a full-host compromise scenario, not just application-level. The 16 prior CVEs in the package signal a systemic lack of security controls in this codebase.
What systems are affected?
How severe is it?
What is the attack surface?
What should I do?
7 steps-
Patch immediately to Flowise 3.0.8 — the fix is available and the patch commit is public (1fb12cd).
-
If patching is delayed: disable WriteFileTool and ReadFileTool nodes in all existing flows and block their use via Flowise's tool configuration.
-
Audit access logs for unexpected file path arguments to these tools — look for path traversal patterns (../, /etc/, /home/, /.env).
-
Rotate all credentials accessible from the Flowise host (API keys, DB passwords, cloud credentials).
-
Deploy Flowise in a containerized environment with filesystem isolation — mount only required directories, not the full host filesystem.
-
Restrict Flowise to authenticated internal users only; disable public-facing access until patched.
-
Scan for webshells or modified files if the system was potentially exposed pre-patch.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-61913?
Flowise's built-in WriteFileTool and ReadFileTool — agent-accessible tools in the drag-and-drop LLM workflow builder — perform no path sanitization, allowing any authenticated user (low privilege) to read or write arbitrary files anywhere on the host filesystem, with a direct path to remote code execution. The CVSS score of 9.9 reflects the full scope impact (S:C): a single compromised Flowise instance can expose all credentials, configurations, and AI pipeline data on the host, and write-access means attackers can plant webshells or overwrite critical system files. A public proof-of-concept exploit exists and there are 16 CVEs in this package's history, indicating a pattern of security debt — treat this as actively exploitable. Patch to Flowise 3.0.8 immediately; if immediate patching is not feasible, disable WriteFileTool and ReadFileTool in all flows via the node configuration and restrict Flowise to isolated, sandboxed environments with no access to host credentials or sensitive paths.
Is CVE-2025-61913 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2025-61913, increasing the risk of exploitation.
How to fix CVE-2025-61913?
1. Patch immediately to Flowise 3.0.8 — the fix is available and the patch commit is public (1fb12cd). 2. If patching is delayed: disable WriteFileTool and ReadFileTool nodes in all existing flows and block their use via Flowise's tool configuration. 3. Audit access logs for unexpected file path arguments to these tools — look for path traversal patterns (../, /etc/, /home/, /.env). 4. Rotate all credentials accessible from the Flowise host (API keys, DB passwords, cloud credentials). 5. Deploy Flowise in a containerized environment with filesystem isolation — mount only required directories, not the full host filesystem. 6. Restrict Flowise to authenticated internal users only; disable public-facing access until patched. 7. Scan for webshells or modified files if the system was potentially exposed pre-patch.
What systems are affected by CVE-2025-61913?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, no-code AI platforms, RAG pipelines.
What is the CVSS score for CVE-2025-61913?
CVE-2025-61913 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 12.12%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials AML.T0072 Reverse Shell AML.T0086 Exfiltration via AI Agent Tool Invocation AML.T0101 Data Destruction via AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.
Exploitation Scenario
An attacker with any authenticated Flowise account (even a trial or low-privilege account) builds or modifies a flow that includes ReadFileTool with the path set to ../../../../.env or /proc/self/environ. Execution of this flow returns all environment variables, including LLM API keys, database credentials, and cloud provider tokens. The attacker then uses WriteFileTool with an absolute path to write a PHP or Python webshell to a web-accessible directory, or modifies a cron job to establish persistence. In an agentic context, this attack can be fully automated — an LLM orchestrating the flow can be prompted to iteratively explore the filesystem, exfiltrate credentials, and establish C2, all within the normal Flowise agent execution loop and without triggering traditional anomaly detection.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H References
- github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3 Patch
- github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8 Release
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c Exploit Vendor
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj Exploit Vendor
- github.com/fkie-cad/nvd-json-data-feeds Exploit
- github.com/tanjiti/sec_profile Exploit
Timeline
Related Vulnerabilities
CVE-2025-71338 10.0 Flowise: unauthenticated file write enables RCE
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2026-56274 9.9 Flowise: RCE via MCP server command validation bypass
Same package: flowise