High severity8.4OSV Advisory· Published Dec 12, 2025· Updated Apr 15, 2026
CVE-2025-67750
CVE-2025-67750
Description
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lightning-flow-scannernpm | < 6.10.6 | 6.10.6 |
Affected products
2- Range: action-v2.3.0, action-v2.4.0, action-v2.5.0, …
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-55jh-84jv-8mx8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67750ghsaADVISORY
- github.com/Flow-Scanner/lightning-flow-scanner/commit/10f64a5eb193d8a777e453b25e910144e4540795nvdWEB
- github.com/Flow-Scanner/lightning-flow-scanner/releases/tag/core-v6.10.6nvdWEB
- github.com/Flow-Scanner/lightning-flow-scanner/security/advisories/GHSA-55jh-84jv-8mx8nvdWEB
News mentions
0No linked articles in our index yet.