COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2025-71333

CVE-2025-71333

Severity
critical
Source
NVD · cve
Published
2026-06-25
CVSS
9.8
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-71333
⚡ RCE shame 50/100 rce

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary director

Players implicated

flowiseai · vendorflowise · product

Description

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.