AI Threat Alert AI Threat Alert

CVE-2025-61913: Flowise: path traversal in file tools leads to RCE

CRITICAL PoC AVAILABLE
Published October 8, 2025
CISO Take

Flowise's built-in WriteFileTool and ReadFileTool — agent-accessible tools in the drag-and-drop LLM workflow builder — perform no path sanitization, allowing any authenticated user (low privilege) to read or write arbitrary files anywhere on the host filesystem, with a direct path to remote code execution. The CVSS score of 9.9 reflects the full scope impact (S:C): a single compromised Flowise instance can expose all credentials, configurations, and AI pipeline data on the host, and write-access means attackers can plant webshells or overwrite critical system files. A public proof-of-concept exploit exists and there are 16 CVEs in this package's history, indicating a pattern of security debt — treat this as actively exploitable. Patch to Flowise 3.0.8 immediately; if immediate patching is not feasible, disable WriteFileTool and ReadFileTool in all flows via the node configuration and restrict Flowise to isolated, sandboxed environments with no access to host credentials or sensitive paths.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Risk is CRITICAL. CVSS 9.9 with network-accessible, low-complexity, low-privilege attack vector and full confidentiality/integrity/availability impact with scope change. A public PoC lowers the bar to script-kiddie level. Flowise is widely deployed by teams building LLM workflows — many deployments expose the UI to internal networks or even the internet. The combination of arbitrary file read (credential harvesting, .env exfiltration, API key theft) and arbitrary file write (webshell deployment, config poisoning, cron-based persistence) makes this a full-host compromise scenario, not just application-level. The 16 prior CVEs in the package signal a systemic lack of security controls in this codebase.

Affected Systems

Package Ecosystem Vulnerable Range Patched
flowise npm No patch
flowise npm No patch

Severity & Risk

CVSS 3.1
9.9 / 10
EPSS
N/A
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

  1. Patch immediately to Flowise 3.0.8 — the fix is available and the patch commit is public (1fb12cd).
  2. If patching is delayed: disable WriteFileTool and ReadFileTool nodes in all existing flows and block their use via Flowise's tool configuration.
  3. Audit access logs for unexpected file path arguments to these tools — look for path traversal patterns (../, /etc/, /home/, /.env).
  4. Rotate all credentials accessible from the Flowise host (API keys, DB passwords, cloud credentials).
  5. Deploy Flowise in a containerized environment with filesystem isolation — mount only required directories, not the full host filesystem.
  6. Restrict Flowise to authenticated internal users only; disable public-facing access until patched.
  7. Scan for webshells or modified files if the system was potentially exposed pre-patch.

Classification

Code Execution Data Extraction Auth Bypass Agent Plugin Framework AML.T0049 AML.T0053 AML.T0055 AML.T0072 AML.T0086 AML.T0101

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.9.4 - AI System Security and Resilience
NIST AI RMF
MANAGE 2.4 - Risks from AI System Components
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.

Exploitation Scenario

An attacker with any authenticated Flowise account (even a trial or low-privilege account) builds or modifies a flow that includes ReadFileTool with the path set to ../../../../.env or /proc/self/environ. Execution of this flow returns all environment variables, including LLM API keys, database credentials, and cloud provider tokens. The attacker then uses WriteFileTool with an absolute path to write a PHP or Python webshell to a web-accessible directory, or modifies a cron job to establish persistence. In an agentic context, this attack can be fully automated — an LLM orchestrating the flow can be prompted to iteratively explore the filesystem, exfiltrate credentials, and establish C2, all within the normal Flowise agent execution loop and without triggering traditional anomaly detection.

Weaknesses (CWE)

CWE-22

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
October 8, 2025
Last Modified
October 20, 2025
First Seen
October 8, 2025

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same package: flowise
CRITICAL CVE-2025-58434 9.8

Flowise: auth bypass in reset flow allows full ATO

Same package: flowise
CRITICAL CVE-2026-30824 9.8

Flowise: auth bypass exposes NVIDIA NIM container endpoints

Same package: flowise
CRITICAL CVE-2026-30821 9.8

flowise: Arbitrary File Upload enables RCE

Same package: flowise
HIGH CVE-2026-31829 8.8

Flowise: SSRF via HTTP Node exposes internal network

Same package: flowise
Back to Threat Feed