External risk intelligence

Flowise Arbitrary File Write to Remote Code Execution via Document Store API

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2025-71338

Flowise is a low-code tool for building AI agent workflows and LLM applications. These applications are commonly deployed as web services or API endpoints accessible over the network to facilitate integration with other services and user interfaces, making the API surface area frequently reachable in standard deployments.

Path Traversal

Flowiseai Flowise

3.1.3 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

The Flowise platform has a critical vulnerability that could allow unauthorized access to write arbitrary files to the system. This could potentially lead to significant compromise and remote control of affected applications.

  • Attackers can write to any file.
  • Critical for applications handling sensitive data.
  • Confirm if Flowise is used; assess exposure.

Attack Path

How an attacker could exploit the issue

Attackers can reach the Flowise API endpoint for processing documents, and since no authentication is required, they can send specially crafted requests. These requests contain directory traversal sequences in the `fileName` parameter, which bypass security checks and allow an attacker to write arbitrary files to the server's filesystem. This capability can be leveraged to overwrite critical system files, leading to remote code execution when the application restarts.

  • Unauthenticated access to the API.
  • `fileName` parameter in document processing endpoint.
  • Arbitrary file write, leading to RCE.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated attackers to write arbitrary files to the filesystem, potentially overwriting critical application files. When the application restarts, this could lead to remote code execution.

  • Asset at risk: Application files and filesystem.
  • How exposure could happen: Unauthenticated writes via API endpoint.
  • Realistic consequence: Remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Flowise application owner or the platform team managing the AI/LLM services is likely responsible for addressing this critical vulnerability. The first practical step is to identify all Flowise instances, determine their network accessibility and business criticality, and then assign an accountable owner for remediation planning.

  • Identify Flowise instances and their owners.
  • Verify network exposure and business criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Flowise?

Flowise is a low-code platform designed for building AI agent workflows and LLM applications. It provides a visual interface to connect various components, commonly deployed as web services or API endpoints to integrate LLMs into larger systems or user-facing interfaces.

What does path traversal mean in CVE-2025-71338?

This vulnerability, classified as CWE-73 (External Control of File Name or Path), allows an attacker to manipulate file paths. By including directory traversal sequences like '../' in a specific parameter, an attacker can escape the intended directory and write files to arbitrary locations on the server's filesystem instead of the expected storage area.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending a specially crafted request to the document store loader API endpoint. The vulnerability relies on the application failing to sanitize the 'fileName' parameter. It is important to note that actions targeting endpoints other than the document store processor do not trigger this specific file write flaw.

Why is this CVE concerning for my infrastructure?

According to Halo Surface Signal, Flowise instances are often deployed as network-accessible web services to facilitate LLM integrations, which increases their reachability. If your instance is exposed to the network, an unauthenticated attacker could overwrite critical application files, potentially leading to remote code execution.

What should I do if I run Flowise?

Your first step is to locate all deployed instances of Flowise within your environment. Once identified, evaluate their network accessibility and the sensitivity of the data they handle. Assign an owner to each instance to manage the remediation process and limit access to these endpoints until you can apply official updates.

References