Ddos 
The maintainers of Flowise, an open-source generative AI development platform for building AI agents and LLM workflows, have released an urgent security update addressing a critical vulnerability (CVE-2025-61913) that could allow remote command execution on affected systems.
The flaw, rated CVSS 10 (Critical), resides in the platform’s WriteFileTool component, which fails to restrict file paths during file operations — enabling authenticated attackers to write arbitrary files anywhere on the server’s filesystem.
According to the security advisory, “The WriteFileTool in Flowise does not restrict the file path for reading, allowing authenticated attackers to exploit this vulnerability to write arbitrary files to any path in the file system, potentially leading to remote command execution.”
Flowise provides a WriteFileTool for interacting with the server’s filesystem, enabling large language models to store outputs or intermediate data. However, the tool’s implementation in packages/components/nodes/tools/WriteFile/WriteFile.ts fails to validate the file_path parameter, allowing arbitrary file writes.
The advisory explains that the class “directly uses the file_path parameter passed to it without verifying whether the path belongs to Flowise’s working directory.”
Here’s the relevant vulnerable code snippet cited in the advisory:
This lack of path sanitization means that an attacker authenticated to the Flowise interface can instruct the system to write or overwrite any file on the host — including critical configuration files, startup scripts, and system binaries.
While Flowise’s maintainers note that exploitation requires authentication, the risk remains severe. The advisory warns, “Authenticated attackers can exploit this vulnerability to write files with arbitrary content to any path on the server.”
Because the attacker controls both the file path and content, multiple avenues for remote code execution (RCE) become possible.
The advisory details several potential exploitation techniques:
- Writing a malicious public SSH key to ~/.ssh/authorized_keys for remote shell access.
- Overwriting /etc/ld.so.preload to hijack dynamic libraries and inject malicious code.
- Modifying package.json to change startup commands — a method previously described in an earlier Flowise vulnerability (GHSA-8vvx-qvq9-5948).
This makes the flaw especially dangerous in production environments where Flowise is deployed with elevated privileges or integrated into broader AI automation pipelines.
Since Flowise is often deployed in development environments, AI infrastructure clusters, and cloud-based LLM automation pipelines, the attack surface includes not only developer workstations but also containerized services and CI/CD agents that interact with model workflows.
If compromised, attackers could pivot through these systems to access API keys, AI model weights, or sensitive training data stored locally or in connected cloud buckets.
The vulnerability affects all Flowise versions up to and including 3.0.5. The issue has been patched in Flowise version 3.0.6.
Administrators are strongly advised to upgrade immediately, revoke any potentially compromised credentials, and audit filesystem integrity on affected servers.
Related Posts:
- Critical RCE Flaws Found in Flowise AI Platform, Allowing Remote Code Execution
- CVE-2025-26319 (CVSS 9.8): Flowise Open-Source Platform Vulnerable to File Upload Exploit, No Patch
- Major npm flaw crashes Linux Systems, force users to reinstall
- CRITICAL (CVSS 9.4) Python ‘tarfile’ Vulnerability: Arbitrary Filesystem Writes Possible!
- Linux Kernel 6.16 Released: Boosting Hardware Support, Filesystems, & Networking
Donate