Vulnerability Description
Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.
Related Weaknesses (CWE)
References
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g
- https://www.vulncheck.com/advisories/flowise-arbitrary-file-upload-via-unauthent
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g
FAQ
What is CVE-2025-71333?
CVE-2025-71333 is a documented vulnerability. Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the ...
How severe is CVE-2025-71333?
CVSS scoring is not yet available for CVE-2025-71333. Check NVD for updates.
Is there a patch for CVE-2025-71333?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.