{"api_version":"1","generated_at":"2026-06-27T18:35:26+00:00","cve":"CVE-2025-71333","urls":{"html":"https://cve.report/CVE-2025-71333","api":"https://cve.report/api/cve/CVE-2025-71333.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-71333","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-71333"},"summary":{"title":"Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint","description":"Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.","state":"PUBLISHED","assigner":"VulnCheck","published_at":"2026-06-25 22:16:59","updated_at":"2026-06-27 04:17:32"},"problem_types":["CWE-73","CWE-73 External Control of File Name or Path"],"metrics":[{"version":"4.0","source":"disclosure@vulncheck.com","type":"Secondary","score":"9.3","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"9.3","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","data":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH"}}],"references":[{"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g","name":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.vulncheck.com/advisories/flowise-arbitrary-file-upload-via-unauthenticated-api-v1-attachments-endpoint","name":"https://www.vulncheck.com/advisories/flowise-arbitrary-file-upload-via-unauthenticated-api-v1-attachments-endpoint","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-71333","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71333","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Flowise","product":"Flowise","version":"affected 2.2.4 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"dorattias","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"71333","cve":"CVE-2025-71333","epss":"0.005160000","percentile":"0.399420000","score_date":"2026-06-26","updated_at":"2026-06-27 00:07:45"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-71333","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-27T02:31:22.938469Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-27T02:32:21.615Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","packageURL":"pkg:npm/flowise","product":"Flowise","vendor":"Flowise","versions":[{"lessThanOrEqual":"2.2.4","status":"affected","version":"0","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*","versionEndIncluding":"2.2.4","vulnerable":true}],"negate":false,"operator":"OR"}]}],"credits":[{"lang":"en","type":"reporter","value":"dorattias"}],"datePublic":"2025-03-13T00:00:00.000Z","descriptions":[{"lang":"en","value":"Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise."}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-73","description":"External Control of File Name or Path","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-25T21:41:04.896Z","orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck"},"references":[{"name":"GitHub Security Advisory (GHSA-h42x-xx2q-6v6g)","tags":["vendor-advisory"],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g"},{"name":"VulnCheck Advisory: Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/flowise-arbitrary-file-upload-via-unauthenticated-api-v1-attachments-endpoint"}],"title":"Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint","x_generator":{"engine":"vulncheck-endgame"}}},"cveMetadata":{"assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","assignerShortName":"VulnCheck","cveId":"CVE-2025-71333","datePublished":"2026-06-25T21:41:04.896Z","dateReserved":"2026-06-20T01:48:36.755Z","dateUpdated":"2026-06-27T02:32:21.615Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 22:16:59","lastModifiedDate":"2026-06-27 04:17:32","problem_types":["CWE-73","CWE-73 External Control of File Name or Path"],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-27T02:31:22.938469Z","id":"CVE-2025-71333","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"71333","Ordinal":"1","Title":"Flowise - Arbitrary File Upload via Unauthenticated /api/v1/atta","CVE":"CVE-2025-71333","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"71333","Ordinal":"1","NoteData":"Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.","Type":"Description","Title":"Flowise - Arbitrary File Upload via Unauthenticated /api/v1/atta"}]}}}