CVE-2025-61687
BaseFortify
Publication date: 2025-10-06
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flowiseai | flowise | 3.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in FlowiseAI version 3.0.7 allows authenticated users to upload arbitrary files without proper validation of file extensions, MIME types, or content. Attackers can upload malicious Node.js web shells that are stored persistently on the server. These web shells expose HTTP endpoints that can execute arbitrary commands if triggered, potentially leading to Remote Code Execution (RCE). The uploaded shells do not execute automatically but can be exploited later through administrator error or chained vulnerabilities. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to upload and store malicious web shells on your server. If these shells are executed, attackers can run arbitrary commands remotely, compromising system integrity and confidentiality. This can lead to unauthorized access, data breaches, and disruption of services, posing a high-severity threat to your system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of suspicious uploaded files, such as Node.js web shells (e.g., shell.js) in the storage directories used by FlowiseAI. Since files are stored under a path defined by the environment variable BLOB_STORAGE_PATH or the default user home directory .flowise/storage, you can search these directories for unexpected JavaScript files. Additionally, monitoring HTTP POST requests to the file upload endpoints (handled via Multer middleware) for unusual or unauthorized file uploads can help detect exploitation attempts. Example commands to detect suspicious files include: 1) Finding JavaScript files in the storage directory: `find ~/.flowise/storage -name '*.js'` or `find $BLOB_STORAGE_PATH -name '*.js'` 2) Checking recent uploads: `ls -lt ~/.flowise/storage` 3) Monitoring HTTP logs for POST requests to the attachments upload route. These steps help identify if malicious files have been uploaded to the system. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting authenticated user permissions to prevent unauthorized file uploads, monitoring and auditing uploaded files for suspicious content such as Node.js web shells, and removing any detected malicious files from the storage directories. Since no patched versions are available, it is critical to limit access to the file upload functionality and implement additional validation or filtering at the network or application level if possible. Additionally, consider isolating or hardening the server environment to reduce the impact of potential Remote Code Execution. Regularly review logs for unusual activity related to file uploads and HTTP endpoints exposed by the application. [1]