Critical severityNVD Advisory· Published Oct 8, 2025· Updated Oct 14, 2025
Flowise is vulnerable to arbitrary file read, arbitrary file write
CVE-2025-61913
Description
Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flowisenpm | < 3.0.8 | 3.0.8 |
flowise-componentsnpm | < 3.0.8 | 3.0.8 |
Flowisenpm | < 3.0.8 | 3.0.8 |
Affected products
3- ghsa-coords2 versions
< 3.0.8+ 1 more
- (no CPE)range: < 3.0.8
- (no CPE)range: < 3.0.8
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-jv9m-vf54-chjjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61913ghsaADVISORY
- github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3ghsax_refsource_MISCWEB
- github.com/FlowiseAI/Flowise/pull/5275ghsaWEB
- github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8ghsax_refsource_MISCWEB
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9cghsax_refsource_MISCWEB
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.