SB2026040910 - Multiple vulnerabilities in Flowise

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2025-61913)

The vulnerability allows a remote user to write arbitrary files to any path on the server, potentially leading to remote command execution.

The vulnerability exists due to improper limitation of a pathname to a restricted directory in the WriteFileTool when processing a user-supplied file path. A remote user can supply a crafted file path and arbitrary file content to write arbitrary files to any path on the server, potentially leading to remote command execution.

The issue is in packages/components/nodes/tools/WriteFile/WriteFile.ts.

2) Arbitrary file upload (CVE-ID: CVE-2025-26319)

The vulnerability allows a remote user to upload arbitrary files and potentially execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in the attachments upload endpoint when handling file upload requests. A remote user can upload a specially crafted file to upload arbitrary files and potentially execute arbitrary code.

The uploaded file is stored persistently on the server, and code execution requires the uploaded shell to be triggered through administrator error or by chaining with another vulnerability.

Remediation

Install update from vendor's website.

References

• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj
• https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-35g6-rrw3-v6xc
• https://github.com/advisories/GHSA-35g6-rrw3-v6xc