PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71333 Flowise CVE debrief

CVE-2025-71333 is a critical vulnerability in Flowise, a platform for building AI workflows. The vulnerability allows unauthenticated attackers to upload files through the /api/v1/attachments endpoint when storageType is set to local. By exploiting path traversal in the chatId and chatflowId parameters, attackers can upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise. The vulnerability has a CVSS score of 9.3 and is considered critical. Flowise version 2.2.4 and prior are affected by this vulnerability. Users should upgrade to a patched version as soon as possible.

Vendor
Flowise
Product
Unknown
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-25
Original CVE updated
2026-07-01
Advisory published
2026-06-25
Advisory updated
2026-07-01

Who should care

Organizations using Flowise for building AI workflows should prioritize patching this vulnerability. Security teams and administrators responsible for maintaining Flowise installations should be aware of the potential risks and take immediate action to mitigate the vulnerability. Additionally, developers and DevOps teams should review their workflows and ensure that they are not exposing sensitive data or functionality.

Technical summary

The vulnerability exists in the /api/v1/attachments endpoint of Flowise, allowing unauthenticated attackers to upload files. By manipulating the chatId and chatflowId parameters, attackers can exploit path traversal and upload malicious files to arbitrary directories. This could lead to remote code execution and server compromise. The vulnerability is caused by insufficient validation and sanitization of user input. Affected versions of Flowise include 2.2.4 and prior.

Defensive priority

This vulnerability has a high defensive priority due to its critical CVSS score and potential for remote code execution. Organizations should prioritize patching this vulnerability as soon as possible to prevent exploitation.

Recommended defensive actions

  • Upgrade Flowise to a patched version as soon as possible.
  • Review and restrict access to the /api/v1/attachments endpoint.
  • Implement additional security measures, such as input validation and sanitization, to prevent similar vulnerabilities.
  • Monitor Flowise installations for suspicious activity and ensure that security patches are applied in a timely manner.
  • Consider implementing compensating controls, such as web application firewalls, to detect and prevent exploitation.

Evidence notes

The vulnerability is documented in the NVD database and has a CVSS score of 9.3. The CVE record and NVD detail pages provide additional information about the vulnerability, including its impact and affected versions. Vendor advisories and third-party reports also provide guidance on mitigating the vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.