CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2025-71333 — Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerab...

·Source: NIST NVD

Updated:

Executive Summary

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

Analysis

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise. CVSS Score: 9.8. Published: 2026-06-25T22:16:59.010.

Indicators of Compromise (1)

CVE (1)
CVE-2025-71333
Source Attribution

Originally published by NIST NVD on Jun 25, 2026. Verified by: NIST.

Related Threats