CVE-2025-61913 Overview
CVE-2025-61913 is a critical path traversal vulnerability affecting Flowise, a popular drag-and-drop user interface for building customized large language model (LLM) flows. The vulnerability exists in the WriteFileTool and ReadFileTool components, which fail to properly restrict file path access. This allows authenticated attackers to read and write arbitrary files to any path in the file system, potentially leading to remote command execution.
Critical Impact
Authenticated attackers can exploit unrestricted file operations in Flowise to read sensitive system files, write malicious content to arbitrary locations, and potentially achieve remote code execution on affected systems.
Affected Products
- Flowise versions prior to 3.0.8
- FlowiseAI Flowise (all platforms running vulnerable versions)
- Self-hosted Flowise deployments with authenticated user access
Discovery Timeline
- October 8, 2025 - CVE-2025-61913 published to NVD
- October 20, 2025 - Last updated in NVD database
Technical Details for CVE-2025-61913
Vulnerability Analysis
This path traversal vulnerability (CWE-22) stems from inadequate input validation in Flowise's file handling tools. The WriteFileTool and ReadFileTool components accept user-supplied file paths without proper sanitization, allowing authenticated users to break out of the intended workspace directory and access arbitrary locations on the file system.
The vulnerability is particularly dangerous because it combines both read and write capabilities. An attacker can first read sensitive configuration files, SSH keys, or credentials stored on the system, and then leverage write access to plant malicious files such as cron jobs, SSH authorized keys, or web shells that enable persistent remote code execution.
While authentication is required to exploit this vulnerability, many Flowise deployments may have relaxed authentication policies or be accessible to multiple users within an organization, expanding the potential attack surface significantly.
Root Cause
The root cause is the absence of path validation logic in the WriteFileTool and ReadFileTool components. Prior to version 3.0.8, these tools did not implement checks for path traversal sequences such as .., URL-encoded traversal patterns (%2e%2e, %2f, %5c), null bytes, control characters, or absolute path specifications. This allowed attackers to craft malicious file paths that escape the intended workspace directory and access any location readable or writable by the Flowise process.
Attack Vector
The attack is conducted over the network by authenticated users who can interact with Flowise's LLM flow builder. An attacker constructs a malicious file path containing traversal sequences and submits it through the affected file tools. The following patch demonstrates the security fix implemented to address this vulnerability:
/**
* Enhanced path validation for workspace-scoped file operations
* @param {string} filePath The file path to validate
* @returns {boolean} True if path traversal detected, false otherwise
*/
export const isUnsafeFilePath = (filePath: string): boolean => {
if (!filePath || typeof filePath !== 'string') {
return true
}
// Check for path traversal patterns
const dangerousPatterns = [
/\.\./, // Directory traversal (..)
/%2e%2e/i, // URL encoded ..
/%2f/i, // URL encoded /
/%5c/i, // URL encoded \
/\0/, // Null bytes
// eslint-disable-next-line no-control-regex
/[\\x00-\\x1f]/, // Control characters
/^\/[^/]/, // Absolute Unix paths (starting with /)
/^[a-zA-Z]:\\/, // Absolute Windows paths (C:\)
/^\\\\[^\\]/, // UNC paths (\\server\)
/^\\\\\?\\/ // Extended-length paths (\\?\)
]
return dangerousPatterns.some((pattern) => pattern.test(filePath))
}
Source: GitHub Commit Details
Detection Methods for CVE-2025-61913
Indicators of Compromise
- Unusual file access patterns in Flowise logs indicating paths outside the expected workspace directory
- Presence of traversal sequences (.., %2e%2e) in API request logs or application audit trails
- Unexpected modifications to system configuration files, cron jobs, or SSH authorized_keys files
- New or modified files in sensitive directories created by the Flowise process user
Detection Strategies
- Monitor Flowise application logs for file operations containing path traversal patterns such as .., %2e, or absolute paths
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file creation or modification
- Configure web application firewalls (WAF) to detect and block requests containing common traversal patterns
- Deploy endpoint detection and response (EDR) solutions to identify suspicious file system access by the Flowise process
Monitoring Recommendations
- Enable verbose logging for Flowise file operations and aggregate logs to a centralized SIEM for analysis
- Create alerts for file access attempts outside the designated Flowise workspace directory
- Monitor the Flowise process for unexpected child process spawning that could indicate successful RCE exploitation
- Review authentication logs for unusual access patterns that may precede exploitation attempts
How to Mitigate CVE-2025-61913
Immediate Actions Required
- Upgrade Flowise to version 3.0.8 or later immediately to remediate this vulnerability
- Review Flowise access logs for signs of exploitation, particularly file operations targeting sensitive system paths
- Audit file system permissions and integrity on systems running vulnerable Flowise versions
- Consider temporarily restricting access to Flowise instances until patching is complete
Patch Information
FlowiseAI has released version 3.0.8 which addresses this vulnerability by implementing comprehensive path validation. The fix introduces the isUnsafeFilePath function that checks for directory traversal sequences, URL-encoded bypass attempts, null bytes, control characters, and absolute path specifications. Organizations should upgrade to Flowise 3.0.8 or later as soon as possible. For technical details, see the GitHub Security Advisory GHSA-j44m-5v8f-gc9c and GitHub Release Notes.
Workarounds
- Run Flowise with minimal file system permissions using a dedicated low-privilege user account
- Deploy Flowise within a containerized environment with restricted volume mounts to limit file system exposure
- Implement network segmentation to limit access to Flowise instances to only authorized users
- Use a reverse proxy with WAF capabilities to filter malicious requests containing traversal patterns before they reach Flowise
# Example: Run Flowise with restricted permissions in Docker
docker run -d \
--name flowise \
--user 1000:1000 \
--read-only \
--tmpfs /tmp \
-v /opt/flowise/workspace:/workspace:rw \
-p 3000:3000 \
flowiseai/flowise:3.0.8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
