Vulnerability Description
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/Flow-Scanner/lightning-flow-scanner/commit/10f64a5eb193d8a777
- https://github.com/Flow-Scanner/lightning-flow-scanner/releases/tag/core-v6.10.6
- https://github.com/Flow-Scanner/lightning-flow-scanner/security/advisories/GHSA-
FAQ
What is CVE-2025-67750?
CVE-2025-67750 is a vulnerability with a CVSS score of 8.4 (HIGH). Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metada...
How severe is CVE-2025-67750?
CVE-2025-67750 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-67750?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.