Last Week in AppSec for 19. August 2025 - Checkmarx

Last Week in AppSec for 19. August 2025

Darren Meyer

Darren Meyer

8 min.

August 19, 2025

A street-art style graphic depicting a newspaper with a SECURITY headline

 

Here are some news items our team found interesting over the past week, which you might have missed.

  • Flowise — a visual workflow developer for Agentic AI — versions prior to 3.0.6 had an arbitrary JavaScript injection (CVSS 9.8) bug that let an attacker run code in the Flowise context, leading to secrets/tokens leakage and RCE in some deployments. Flowise users should upgrade to at least 3.0.6, rotate any API keys used by flows, and audit Flowise logs for suspicious node/flow edits.
  • Popular Go module go-getter from Hashicorp (makers of the popular Terraform and Vault products) has a symlink style path traversal flaw (CVSS 7.5), allowing users to read files outside a specified directory. Upgrade to 1.7.9 or newer, and review build agents to make sure they’re running tools with least privilege.
  • Keras — the high-level API for the TensorFlow ML framework – has a “safe_mode” bypass that lets crafted models trigger arbitrary file writes (and sometimes RCE) even with safe_mode on; fixed in Keras 3.11.0. Upgrade Keras to at least 3.11.0, avoid loading untrusted .keras models, and consider allow‑listing deserialization targets.
  • Rails Active Storage allowed unsafe image transformation methods/params by default (CVSSv4 8.2) in many versions since 5.2.0. This flaw enables potential command injection when user‑supplied params flow in. Upgrade active_storage to 7.1.5.2, 7.2.2.2, or 8.0.2.1; review code to ensure your applications avoid passing arbitrary transform params.

Arbitrary JavaScript injection in Flowise AI Agent developer tool

Flowise — a visual workflow developer for Agentic AI — versions prior to 3.0.6 had an arbitrary JavaScript injection (CVSS 9.8) bug that let an attacker run code in the Flowise context, leading to secrets/tokens leakage and RCE in some deployments. Flowise users should upgrade to at least 3.0.6, rotate any API keys used by flows, and audit Flowise logs for suspicious node/flow edits.

JFrog discovered and disclosed this issue, describing a pathway for user input to a Function constructor, allowing an attacker to inject arbitrary JavaScript code to run on the Flowise host. Some versions of Flowise even run this code in an authenticated context, making it a useful target for attackers. Exfiltration of secrets and, depending on host controls, lateral movement via Remote Code Execution (RCE) are possible.

Symlink Path Traversal in HashiCorp’s go-getter module

Popular Go module go-getter from Hashicorp (makers of the popular Terraform and Vault products) has a symlink style path traversal flaw (CVSS 7.5), allowing users to read files outside a specified directory. Upgrade to 1.7.9 or newer, and review build agents to make sure they’re running tools with least privilege.

The go-getter module permits downloading of subdirectories using expansion patterns including globs, and extracting contents to a local directory. If symlinks are in the remote source, they are followed without regard to the directory pattern specified in the request. This results in attackers gaining unexpected read access. The risk posed by this issue can be mitigated singificantly by ensuring least privilege on filesystems is properly maintained, especially in CI/CD systems (where go-getter is commonly used).

HashiCorp disclosed this issue on 15. August.

TensorFlow API “Keras” allows arbitrary file writes and RCE

Keras — the high-level API for the TensorFlow ML framework – has a “safe_mode” bypass that lets crafted models trigger arbitrary file writes (and sometimes RCE) even with safe_mode on; fixed in Keras 3.11.0. Upgrade Keras to at least 3.11.0, avoid loading untrusted .keras models, and consider allow‑listing deserialization targets.

Keras permits ML models to include Python Lambda functions, which can be loaded (and therefore executed) by Keras/TensorFlow. While this is by design, Keras has included a safe_mode flag intended to prevent this from occuring. However, a weakness in the implementation of the related feature meant that a check for this specific case was not available.

While the updated Keras implementation does address this issue, it cannot check for the problem in older model serialization formats and several other cases. This underscores the importance of not loading untrusted models or models with uncertain provenance.

Rails Active Storage has unsafe ImageMagick transformations

Rails Active Storage allowed unsafe image transformation methods/params by default (CVSSv4 8.2) in many versions since 5.2.0. This flaw enables potential command injection when user‑supplied params flow in. Upgrade active_storage to 7.1.5.2, 7.2.2.2, or 8.0.2.1; review code to ensure your applications avoid passing arbitrary transform params.

This vulnerability only affects Active Storage when the image_processing gem and mini_magick are used together; however, this is a very common configuration. When vulnerable, user-supplied parameters for image transformation can result in a command injection as the transformation system allows providing methods as well as arbitrary arguments.

Risk associated with this vulnerability can be mitigated significantly by ensuring the underlying ImageMagick installationn has an appropriately-configured security policy.

Follow Checkmarx Zero:

Table of Contents

Read More

Want to learn more? Here are some additional pieces for you to read.

Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More