VYPR
← All advisories
High severity8.4OSV Advisory· Published Dec 12, 2025· Updated Apr 15, 2026

CVE-2025-67750

CVE-2025-67750

Description

Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Lightning Flow Scanner ≤6.10.5 uses `new Function()` in the APIVersion rule, allowing arbitrary JavaScript execution via malicious flow metadata.

Vulnerability

Overview

CVE-2025-67750 is a code injection vulnerability in the Lightning Flow Scanner, a tool that analyzes Salesforce Flow metadata. Versions 6.10.5 and below contain an unsafe use of new Function() in the APIVersion rule. The rule evaluates expression strings (e.g., >=58) by constructing and executing a JavaScript function from user-controlled input, without proper sanitization [1][3]. This allows an attacker to inject arbitrary JavaScript code through a crafted flow metadata file or a malicious rule configuration [2].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted expression within the APIVersion rule configuration or by embedding a malicious expression in a flow metadata file that is scanned by the tool. The scanner processes the expression using new Function(), which executes the injected code in the context of the scanning environment [3]. No authentication is required beyond the ability to supply the malicious input to the scanner (e.g., via a CI pipeline, VS Code extension, or CLI).

Impact

Impact

Successful exploitation allows arbitrary JavaScript execution on the developer's machine, CI runner, or editor environment. This could lead to data exfiltration, installation of malware, or compromise of credentials and secrets stored in the development environment [1][3]. The vulnerability is rated High with a CVSS v3 score of 8.4 [2].

Mitigation

The issue is fixed in version 6.10.6 of the core library, along with corresponding updates for the VS Code extension (v2.4.4) and GitHub App (v3.1.0) [3]. The fix removes all uses of new Function() and replaces them with a safer parser that validates operators and performs numeric comparisons without evaluating untrusted JavaScript [4]. A workaround is also available for users who cannot immediately upgrade: the APIVersion rule can be manually evaluated by deleting it from the rule configuration and implementing custom logic [3].

References
  1. GitHub - Flow-Scanner/lightning-flow-scanner: A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flow. Scans metadata for 20+ issues such as hardcoded IDs, unsafe contexts, inefficient DML operations, recursion risks, and more. Supports auto-fixes, rule configurations, and CI/CD integration to help maintain secure and reliable Flow automations.
  2. NVD - CVE-2025-67750
  3. Code Injection via Unsafe Use of `new Function()` in APIVersion Rule
  4. core: fix (CWE-94) when implemented in vs code/ browser env · Flow-Scanner/lightning-flow-scanner@10f64a5

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lightning-flow-scannernpm
< 6.10.66.10.6

Affected products

2
  • Flow Scanner/Lightning Flow ScannerOSV2 versions
    action-v2.3.0, action-v2.4.0, action-v2.5.0, …+ 1 more
    • (no CPE)range: action-v2.3.0, action-v2.4.0, action-v2.5.0, …
    • (no CPE)range: <=6.10.5

Patches

1
10f64a5eb193

core: fix (CWE-94) when implemented in vs code/ browser env

https://github.com/Flow-Scanner/lightning-flow-scannerRuben HalmanDec 12, 2025via ghsa
commit
1 file changed · +59 32
  • packages/core/src/main/rules/APIVersion.ts+59 32 modified
    @@ -15,45 +15,72 @@ export class APIVersion extends RuleCommon implements IRuleDefinition {
   }
 
   protected check(
-  flow: core.Flow,
-  options: { expression?: string } | undefined,
-  _suppressions: Set<string>
-): core.Violation[] {
-
-  let flowAPIVersionNumber: number | null = null;
-  if (flow.xmldata.apiVersion) {
-    flowAPIVersionNumber = +flow.xmldata.apiVersion;
-  }
+    flow: core.Flow,
+    options: { expression?: string } | undefined,
+    _suppressions: Set<string>
+  ): core.Violation[] {
 
-  // No API version
-  if (!flowAPIVersionNumber) {
-    return [
-      new core.Violation(
-        new core.FlowAttribute("API Version <49", "apiVersion", "<49")
-      )
-    ];
-  }
+    let flowAPIVersionNumber: number | null = null;
+    if (flow.xmldata.apiVersion) {
+      flowAPIVersionNumber = +flow.xmldata.apiVersion;
+    }
 
-  // Custom logic
-  if (options?.expression) {
-    const isValid = new Function(
-      `return ${flowAPIVersionNumber}${options.expression};`
-    )();
-      
-    if (!isValid) {
+    // No API version
+    if (!flowAPIVersionNumber) {
       return [
         new core.Violation(
-          new core.FlowAttribute(
-            `${flowAPIVersionNumber}`,
-            "apiVersion",
-            options.expression
-          )
+          new core.FlowAttribute("API Version <49", "apiVersion", "<49")
         )
       ];
     }
-  }
 
-  return [];
-}
+    // Custom logic
+    if (options?.expression) {
+
+      // Match something like: >= 58
+      const match = options.expression.match(/^\s*(>=|<=|>|<|===|!==)\s*(\d+)\s*$/);
+
+      if (!match) {
+        // Invalid expression format
+        return [
+          new core.Violation(
+            new core.FlowAttribute(
+              "Invalid API rule expression",
+              "apiVersion",
+              options.expression
+            )
+          )
+        ];
+      }
+
+      const [, operator, versionStr] = match;
+      const target = parseFloat(versionStr);
+
+      let isValid = true;
+
+      switch (operator) {
+        case ">": isValid = flowAPIVersionNumber > target; break;
+        case "<": isValid = flowAPIVersionNumber < target; break;
+        case ">=": isValid = flowAPIVersionNumber >= target; break;
+        case "<=": isValid = flowAPIVersionNumber <= target; break;
+        case "===": isValid = flowAPIVersionNumber === target; break;
+        case "!==": isValid = flowAPIVersionNumber !== target; break;
+      }
+
+      if (!isValid) {
+        return [
+          new core.Violation(
+            new core.FlowAttribute(
+              `${flowAPIVersionNumber}`,
+              "apiVersion",
+              options.expression
+            )
+          )
+        ];
+      }
+    }
+
+    return [];
+  }
 
 }
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.