CVE-2025-71338
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk45th percentile — higher than 45% of all known CVEs
Summary
Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.
Risk Assessment
The risk for the organization includes potential full server compromise through remote code execution, which could lead to data theft, service disruption, or further attacks on the infrastructure.
Recommendation
It is recommended to immediately update Flowise to the latest version that fixes this vulnerability and implement file path validation to prevent path traversal attacks.
Original NVD description (English source)
Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

