Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Arbitrary File Read/Write in Flowise WriteFileTool and ReadFileTool

IdentifiersCVE-2025-61913CWE-22· Improper Limitation of a Pathname…

CVE-2025-61913 is a critical vulnerability in Flowise, a drag-and-drop interface for building customized large language model flows. In Flowise versions prior to 3.0.8, the WriteFileTool and ReadFileTool do not properly restrict file path access. As a result, an authenticated attacker can supply attacker-controlled paths and read from or write to arbitrary locations on the underlying filesystem outside any intended restricted directory. The issue is consistent with path traversal / improper pathname restriction behavior and affects remote deployments where these tools are exposed through Flowise functionality. Because arbitrary file write can be used to modify sensitive application, system, or user files, the vulnerability may be chained into remote command execution depending on the target environment and writable paths.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker to read arbitrary files from the server filesystem and write arbitrary files to attacker-chosen paths. This can expose sensitive data such as configuration files, credentials, tokens, keys, and application secrets, and can also compromise integrity by overwriting or planting files used by the application or host. In environments where written files influence execution flow, startup behavior, authentication, or dynamic loading, the arbitrary write condition can be leveraged to achieve remote command execution. The published CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H reflects high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or disable access to WriteFileTool and ReadFileTool, especially in agent flows available to untrusted or lower-trust users. Enforce strict allow-listing of readable and writable directories so file operations are confined to a dedicated working directory. Run Flowise with least privilege, preferably as a non-root user, and use hardening measures such as read-only filesystems where feasible, no unnecessary host mounts, and reduced container capabilities to limit the blast radius of arbitrary file access. Additional input validation and canonical path checks should be applied to file operation parameters.

Remediation

Patch, then assume compromise.

Upgrade Flowise to version 3.0.8 or later, which fixes the vulnerable file path handling in WriteFileTool and ReadFileTool. Ensure all deployed Flowise-related packages and images are updated consistently, including Flowise, flowise, and flowise-components where applicable, and rebuild/redeploy Docker images from the fixed release. Validate that the patched version enforces path restrictions for file operations and review any custom integrations or forks for equivalent fixes.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FlowiseaiFlowiseapplication
FlowiseaiFlowise-Componentsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-61913
NVD
nvd.nist.gov/vuln/detail/CVE-2025-61913
MITRE CWE · CWE-22
Improper Limitation of a Pathname to a…
Patch
github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3
Vendor Advisory
github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c
Vendor Advisory
github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj
Release Notes
github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8