CVE-2025-67750 is a code injection vulnerability classified under CWE-94 affecting lightning-flow-scanner, a tool used for analyzing and optimizing Salesforce Flows. Versions 6.10.5 and earlier allow attackers to craft malicious Salesforce flow metadata files that exploit the APIVersion rule's use of JavaScript's new Function() constructor to evaluate expression strings. This unsafe evaluation enables arbitrary JavaScript code execution during the scanning process. Since the scanner is used as a CLI plugin, VS Code extension, and GitHub Action, the vulnerability can compromise multiple environments including developer workstations, continuous integration runners, and code editor environments. The attack vector requires no privileges or user interaction, making exploitation relatively straightforward once a malicious flow metadata file is introduced. The impact includes full compromise of the scanning environment, potentially leading to data theft, manipulation of codebases, or disruption of development pipelines. The vulnerability was publicly disclosed on December 12, 2025, with a CVSS 3.1 score of 8.4 (high severity), reflecting its ease of exploitation and severe impact on confidentiality, integrity, and availability. The issue is resolved in version 6.10.6 of lightning-flow-scanner. No known exploits have been reported in the wild to date.

For European organizations, this vulnerability poses significant risks particularly to those heavily invested in Salesforce development and automation. Compromise of developer machines or CI runners can lead to unauthorized access to source code, intellectual property, and sensitive customer data managed within Salesforce environments. The ability to execute arbitrary code can also allow attackers to implant persistent backdoors or disrupt development workflows, causing operational downtime and reputational damage. Organizations relying on automated scanning in their DevSecOps pipelines are especially vulnerable, as malicious flow metadata could be introduced via third-party contributions or compromised repositories. The impact extends beyond individual developers to the broader enterprise infrastructure, potentially affecting compliance with data protection regulations such as GDPR if personal data is exposed or manipulated. The lack of required privileges or user interaction lowers the barrier for exploitation, increasing the urgency for mitigation.

European organizations should immediately upgrade all instances of lightning-flow-scanner to version 6.10.6 or later to eliminate the vulnerability. Until upgrades are fully deployed, restrict the ingestion of Salesforce flow metadata files to trusted sources only, and implement rigorous validation and sanitization of these files before scanning. Incorporate static code analysis tools that do not rely on dynamic evaluation of untrusted input to complement existing scanning processes. Isolate CI runners and developer environments running the scanner to limit potential lateral movement in case of compromise. Monitor logs and network traffic for unusual activity indicative of exploitation attempts. Educate developers and DevOps teams about the risks of using untrusted metadata and the importance of timely patching. Finally, review and enhance access controls around development and CI environments to minimize exposure.