CVE-2025-61687: 
Flowise vulnerability analysis and mitigation

A file upload vulnerability (CVE-2025-61687) was discovered in FlowiseAI version 3.0.7, a drag & drop user interface for building customized large language model flows. The vulnerability, discovered on October 6, 2025, allows authenticated users to upload arbitrary files without proper validation, enabling attackers to store malicious Node.js web shells on the server that could lead to Remote Code Execution (RCE) (NVD, GitHub Advisory).

The vulnerability stems from insufficient file validation during the upload process. The system fails to validate file extensions, MIME types, or file content, allowing malicious scripts such as Node.js-based web shells to be uploaded and stored persistently on the server. These shells can expose HTTP endpoints capable of executing arbitrary commands when triggered. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H, indicating network accessibility with low attack complexity (NVD).

The vulnerability allows attackers to persistently upload and store malicious web shells on the server. While the uploaded shell does not automatically execute, its presence enables future exploitation through administrator error or chained vulnerabilities. This presents a high-severity threat to system integrity and confidentiality, potentially leading to Remote Code Execution if the shell is triggered (GitHub Advisory).

As of the time of publication, no patched versions are available for this vulnerability. Users should monitor for updates and implement strict access controls to the file upload functionality (NVD).