External risk intelligence

Flowise Arbitrary File Access via Missing Chatflow ID Validation

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2025-71334

The vulnerability resides in a web application API endpoint designed for handling chatflows and file storage. Such applications are commonly deployed as internet-facing services or web-based interfaces to provide chatbot functionality, making them accessible via public network requests.

Remote Code Execution

Flowiseai Flowise

before 3.0.6

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in Flowise, a technology used for building conversational AI applications. The issue allows unauthenticated attackers to read and write arbitrary files on the system, which could potentially lead to the execution of malicious code. The primary concern is confirming if this technology is in use and if it is exposed externally.

  • Unauthenticated attackers can access and modify system files.
  • Critical vulnerability could allow remote code execution.
  • Confirm relevance and exposure of Flowise technology.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to the application's API endpoints. No authentication is required to initiate this attack. The attacker targets the file handling operations within the chatflow functionality, which lack proper validation of the `chatflowId` and `chatId` parameters. By manipulating these parameters with path-traversal sequences, an attacker can gain the ability to write arbitrary files to the server and read any file from the server. This could potentially lead to the execution of arbitrary code.

  • No authentication needed.
  • Manipulate file parameters.
  • Arbitrary file read/write.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to read or write arbitrary files on the server when specific API endpoints are accessed. This could occur if the application does not properly validate the `chatflowId` and `chatId` parameters.

  • Arbitrary file access on the server.
  • Exploits path traversal in API requests.
  • Potential for remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The criticality of this arbitrary file access vulnerability in Flowise demands immediate attention from teams managing AI/ML platforms and custom application development. The primary concern is identifying all instances of the affected software, confirming their exposure to the network, and assessing their business criticality. Once these factors are established, the accountable owner can be identified to plan a remediation strategy, which may involve vendor coordination for a fix or implementing temporary risk-reduction measures.

  • App owners and platform teams.
  • Confirm all Flowise deployments and exposure.
  • Plan and execute remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Flowise?

Flowise is a low-code platform built to help developers create and deploy conversational AI applications and custom chatbots. It provides a visual interface for managing complex data flows and integrates with various language models, making it a key component in infrastructure used to power automated customer interaction and data processing tools.

What does arbitrary file access mean in CVE-2025-71334?

This vulnerability is classified as CWE-73, which involves improper validation of user-supplied paths. Because the system fails to verify that specific chat identifiers are valid IDs, an attacker can use path-traversal sequences—like '../'—to escape intended directories. This allows them to read sensitive files from the server or write new, malicious files, potentially giving them full control over the host system.

How do attackers trigger this vulnerability?

An attacker triggers this by sending unauthorized requests to specific API endpoints, such as those used for file uploads or downloads. By supplying a specially crafted string instead of a standard ID number in the chatflow or chat parameters, they manipulate the application into accessing files outside of its authorized storage space. Requests that use properly formatted UUIDs or numbers as parameters do not trigger this specific path-traversal behavior.

Is my Flowise instance at risk?

If you are running versions of Flowise earlier than 3.0.6, your installation is potentially vulnerable. According to Halo Surface Signal, because this technology provides web-based chatbot functionality, it is frequently deployed as an internet-facing service. Any instance exposed to the public network is at a higher risk of being reached by unauthenticated attackers compared to those strictly limited to internal, private network segments.

What steps should I take if I use Flowise?

Begin by auditing your environment to locate all active deployments of Flowise to determine your current version. If you identify affected versions, prioritize restricting network access to these services immediately to reduce the potential for external exploitation. Once contained, consult official project security updates to coordinate a plan for upgrading to a patched version, ensuring that the critical file validation flaw is resolved.

References