PatchSiren cyber security CVE debrief
CVE-2025-71333 Flowise CVE debrief
CVE-2025-71333 is a critical vulnerability in Flowise, a platform for building AI workflows. The vulnerability allows unauthenticated attackers to upload files through the /api/v1/attachments endpoint when storageType is set to local. By exploiting path traversal in the chatId and chatflowId parameters, attackers can upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise. The vulnerability has a CVSS score of 9.3 and is considered critical. Flowise version 2.2.4 and prior are affected by this vulnerability. Users should upgrade to a patched version as soon as possible.
- Vendor
- Flowise
- Product
- Unknown
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-07-01
Who should care
Organizations using Flowise for building AI workflows should prioritize patching this vulnerability. Security teams and administrators responsible for maintaining Flowise installations should be aware of the potential risks and take immediate action to mitigate the vulnerability. Additionally, developers and DevOps teams should review their workflows and ensure that they are not exposing sensitive data or functionality.
Technical summary
The vulnerability exists in the /api/v1/attachments endpoint of Flowise, allowing unauthenticated attackers to upload files. By manipulating the chatId and chatflowId parameters, attackers can exploit path traversal and upload malicious files to arbitrary directories. This could lead to remote code execution and server compromise. The vulnerability is caused by insufficient validation and sanitization of user input. Affected versions of Flowise include 2.2.4 and prior.
Defensive priority
This vulnerability has a high defensive priority due to its critical CVSS score and potential for remote code execution. Organizations should prioritize patching this vulnerability as soon as possible to prevent exploitation.
Recommended defensive actions
- Upgrade Flowise to a patched version as soon as possible.
- Review and restrict access to the /api/v1/attachments endpoint.
- Implement additional security measures, such as input validation and sanitization, to prevent similar vulnerabilities.
- Monitor Flowise installations for suspicious activity and ensure that security patches are applied in a timely manner.
- Consider implementing compensating controls, such as web application firewalls, to detect and prevent exploitation.
Evidence notes
The vulnerability is documented in the NVD database and has a CVSS score of 9.3. The CVE record and NVD detail pages provide additional information about the vulnerability, including its impact and affected versions. Vendor advisories and third-party reports also provide guidance on mitigating the vulnerability.
Official resources
-
CVE-2025-71333 CVE record
CVE.org
-
CVE-2025-71333 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory, Exploit
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
This article is AI-assisted and based on the supplied source corpus.