CVE-2025-61687 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting FlowiseAI's Flowise product, specifically version 3.0.7. Flowise is a drag-and-drop interface designed to build customized large language model workflows. The vulnerability allows authenticated users to upload arbitrary files without any validation of file extensions, MIME types, or file content. This lack of validation enables attackers to upload malicious Node.js web shells that persist on the server filesystem. These shells expose HTTP endpoints that can be triggered to execute arbitrary commands, potentially leading to remote code execution (RCE). The exploit requires authentication but no user interaction beyond the upload itself. The malicious payload does not execute immediately upon upload, but its presence creates a persistent backdoor that can be leveraged later, especially if combined with administrator mistakes or chained with other vulnerabilities. The vulnerability has a CVSS 3.1 base score of 8.3, indicating high severity due to the potential impact on system integrity and availability, ease of exploitation with low complexity, and the requirement of only low privileges (authenticated user). No patches or updates addressing this vulnerability are currently available, leaving systems exposed. This vulnerability poses a significant risk to environments where Flowise 3.0.7 is deployed, especially those exposed to multiple authenticated users or where credential compromise is possible.

For European organizations, this vulnerability presents a serious threat to the confidentiality, integrity, and availability of systems running Flowise 3.0.7. The ability to upload and persistently store malicious Node.js shells can lead to full system compromise via remote code execution. This can result in unauthorized data access, data manipulation, and disruption of AI workflow services critical to business operations. Organizations in sectors such as finance, healthcare, research, and critical infrastructure that utilize AI workflow tools like Flowise are particularly at risk. The persistence of the shell increases the attack surface over time, enabling attackers to maintain long-term access or pivot to other internal systems. Since no patch is available, the window of exposure remains open, increasing the likelihood of exploitation especially in environments with multiple authenticated users or weak access controls. The requirement for authentication limits exposure but does not eliminate risk, as credential theft or insider threats could facilitate exploitation. The impact on availability could disrupt AI-driven services, affecting decision-making and operational continuity.

1. Immediately restrict access to Flowise 3.0.7 instances to trusted users only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of unauthorized uploads. 2. Implement strict network segmentation and firewall rules to limit external and internal access to the Flowise server, minimizing exposure. 3. Monitor file upload directories for unexpected or suspicious files, especially those with Node.js extensions or unusual content, and establish automated alerts for such anomalies. 4. Conduct regular audits of uploaded files and server filesystem integrity to detect and remove any malicious shells promptly. 5. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious HTTP requests targeting potential web shell endpoints. 6. If possible, temporarily disable file upload functionality or restrict allowed file types to a safe whitelist until an official patch is released. 7. Keep all related software and dependencies updated and subscribe to vendor advisories for timely patching once available. 8. Educate administrators and users about the risks of this vulnerability and the importance of cautious handling of uploaded files and credentials. 9. Consider deploying endpoint detection and response (EDR) solutions to identify unusual command executions or lateral movement attempts stemming from this vulnerability.