CVE-2025-67750
Unknown Unknown - Not Provided
Arbitrary JavaScript Execution in Lightning Flow Scanner

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: GitHub, Inc.

Description
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67750
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
lightning_flow scanner 6.10.6
lightning_flow scanner 6.10.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Lightning Flow Scanner versions 6.10.5 and below, where a maliciously crafted flow metadata file can cause arbitrary JavaScript execution during scanning. The issue arises because the APIVersion rule uses new Function() to evaluate expression strings, allowing an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This can lead to execution of harmful code on developer machines, CI runners, or editor environments.

Impact Analysis

The vulnerability can compromise developer machines, continuous integration (CI) runners, or editor environments by allowing arbitrary JavaScript code execution. This can lead to unauthorized actions, data compromise, or disruption of development and deployment processes.

Mitigation Strategies

Upgrade Lightning Flow Scanner to version 6.10.6 or later, as this version contains the fix for the arbitrary JavaScript execution vulnerability. Avoid scanning untrusted or maliciously crafted flow metadata files with versions 6.10.5 and below to prevent compromise of developer machines, CI runners, or editor environments.

Detection Guidance

To detect this vulnerability, you should check the version of the Lightning Flow Scanner installed on your system or CI environment. Versions 6.10.5 and below (or VSX versions prior to 2.4.4) are vulnerable. There are no specific network detection commands provided, but you can verify the installed version by running the CLI command for the Lightning Flow Scanner or checking the VS Code extension version. For example, use `lightning-flow-scanner --version` or check the extension version in VS Code. Additionally, review any flow metadata files for suspicious or crafted expressions in the APIVersion rule that might exploit the vulnerability. To remediate, upgrade to version 6.10.6 or VSX 2.4.4 or later. No direct commands for scanning or detecting malicious payloads are provided in the resources. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67750. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart