CVE-2025-67750
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-67750
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-67750.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-67750
- Aliases
- Published
- 2025-12-12T20:14:21.004Z
- Modified
- 2025-12-14T03:55:04.812825Z
- Severity
-
- 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Lightning Flow Scanner is Vulnerable to Code Injection via Unsafe Use of new Function() in APIVersion Rule
- Details
-
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67750.json", "cwe_ids": [ "CWE-94" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67750.json
- https://github.com/Flow-Scanner/lightning-flow-scanner/commit/10f64a5eb193d8a777e453b25e910144e4540795
- https://github.com/Flow-Scanner/lightning-flow-scanner/releases/tag/core-v6.10.6
- https://github.com/Flow-Scanner/lightning-flow-scanner/security/advisories/GHSA-55jh-84jv-8mx8
- https://nvd.nist.gov/vuln/detail/CVE-2025-67750
Affected packages
Git / github.com/flow-scanner/lightning-flow-scanner
Affected ranges
- Type
- GIT
- Repo
- https://github.com/flow-scanner/lightning-flow-scanner
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0.0
1.1.0
1.2.0
1.3.0
2.*
2.10
2.11
2.14
2.15
2.16
2.17
2.18
2.19
2.20
2.21
2.22
2.23
2.24
2.25
2.26
2.27
2.28
2.3
2.30
2.4
2.5
2.6
2.7
2.8
2.9
3.*
3.0.0
3.10
3.11
3.12
3.16
3.17
3.17.1
3.17.2-prerelease.1
3.8
3.8.0
3.9
action-v2.*
action-v2.3.0
action-v2.4.0
action-v2.5.0
action-v2.6.0
core-v6.*
core-v6.10.0
core-v6.10.1
core-v6.10.2
core-v6.10.3
core-v6.10.4
core-v6.10.5
core-v6.6.1
core-v6.6.3
core-v6.6.5
core-v6.7.0
core-v6.8.0
core-v6.8.1
v.*
v.1.11.0
v1.*
v1.10.0
v1.11.2
v1.11.3
v1.11.4
v1.12.0
v1.12.1
v1.12.2
v1.13.0
v1.13.1
v1.13.2
v1.13.3
v1.13.4
v1.13.5
v1.4.0
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.7.0
v1.8.0
v1.8.5
v1.8.6
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.1.2
v2.12.0
v2.2.0
v2.2.1
v2.26.0
v2.26.1
v2.26.2
v2.27.0
v2.27.1
v2.27.2
v2.27.3
v2.28.0
v2.28.1
v2.28.2
v2.28.3
v2.29.0
v2.29.1
v2.31.0
v2.31.1
v2.31.2
v2.31.3
v2.31.4
v2.31.5
v2.31.6
v2.31.7
v2.31.8
v2.32.0
v2.32.1
v2.32.2
v2.32.3
v2.33.0
v2.33.1
v2.34.0
v2.34.1
v2.34.2
v2.35.0
v2.35.1
v2.36.0
v2.36.1
v2.37.0
v2.37.1
v2.38.0
v2.38.1
v2.39.0
v2.39.1
v2.40.0
v2.40.1
v2.40.2
v2.41.0
v2.41.1
v2.42.0
v2.42.1
v2.43.0
v2.43.1
v2.44.0
v2.44.1
v2.45.0
v2.45.1
v2.46.0
v2.46.1
v2.46.2
v3.*
v3.0.0
v3.0.1
v3.1.0
v3.1.1
v3.10.0
v3.10.1
v3.11.0
v3.11.1
v3.12.0
v3.12.1
v3.13.0
v3.13.1
v3.14.0
v3.14.1
v3.15.0
v3.15.1
v3.16.0
v3.16.1
v3.17.0
v3.17.1
v3.17.2
v3.17.2-prerelease
v3.17.3
v3.17.4
v3.17.5
v3.18.0
v3.18.1
v3.18.2
v3.18.3
v3.18.4
v3.18.5
v3.19.0
v3.19.1
v3.19.2
v3.2.0
v3.2.1
v3.20.0
v3.20.1
v3.20.2
v3.20.3
v3.20.4
v3.20.5
v3.20.6
v3.21.0
v3.21.1
v3.21.2
v3.21.3
v3.21.4
v3.21.5
v3.22.0
v3.22.1
v3.22.10
v3.22.11
v3.22.12
v3.22.13
v3.22.14
v3.22.15
v3.22.16
v3.22.17
v3.22.18
v3.22.19
v3.22.2
v3.22.3
v3.22.4
v3.22.5
v3.22.6
v3.22.7
v3.22.8
v3.22.9
v3.23.0
v3.23.1
v3.24.0
v3.24.1
v3.25.0
v3.25.1
v3.26.0
v3.26.1
v3.27.0
v3.27.1
v3.28.0
v3.28.1
v3.29.0
v3.3.0
v3.3.1
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.6.0
v3.6.1
v3.7.0
v3.7.1
v3.8.0
v3.8.1
v3.9.0
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.1.0
v4.1.1
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.11.1
v4.11.2
v4.11.3
v4.11.4
v4.11.5
v4.11.6
v4.11.7
v4.11.8
v4.11.9
v4.12.0
v4.12.1
v4.12.2
v4.12.3
v4.13.0
v4.13.1
v4.13.10
v4.13.11
v4.13.2
v4.13.3
v4.13.4
v4.13.5
v4.13.6
v4.13.7
v4.13.8
v4.13.9
v4.14.0
v4.14.1
v4.15.0
v4.15.1
v4.16.0
v4.16.1
v4.16.2
v4.16.3
v4.17.0
v4.18.0
v4.18.1
v4.18.2
v4.18.3
v4.18.4
v4.18.5
v4.19.0
v4.19.1
v4.19.2
v4.2.0
v4.2.1
v4.20.0
v4.20.1
v4.21.0
v4.21.1
v4.21.2
v4.22.0
v4.22.1
v4.22.2
v4.22.3
v4.22.4
v4.22.5
v4.22.6
v4.22.7
v4.23.0
v4.23.1
v4.24.0
v4.24.1
v4.24.2
v4.25.0
v4.25.1
v4.26.0
v4.26.1
v4.26.2
v4.26.3
v4.27.0
v4.27.1
v4.28.0
v4.28.1
v4.28.2
v4.28.3
v4.29.0
v4.29.1
v4.29.2
v4.3.0
v4.3.1
v4.30.0
v4.30.1
v4.30.2
v4.31.0
v4.31.1
v4.31.2
v4.31.3
v4.32.0
v4.32.1
v4.32.2
v4.32.3
v4.32.4
v4.32.5
v4.32.6
v4.32.7
v4.33.0
v4.33.1
v4.34.0
v4.34.1
v4.35.0
v4.35.1
v4.35.2
v4.35.3
v4.35.4
v4.35.5
v4.36.0
v4.36.1
v4.36.2
v4.37.0
v4.37.1
v4.37.2
v4.37.3
v4.38.0
v4.38.1
v4.38.2
v4.39.0
v4.39.1
v4.39.2
v4.39.3
v4.4.0
v4.4.1
v4.40.0
v4.40.1
v4.40.2
v4.41.0
v4.41.1
v4.42.0
v4.42.1
v4.43.0
v4.43.1
v4.43.2
v4.43.3
v4.43.4
v4.43.5
v4.43.6
v4.43.7
v4.44.0
v4.44.1
v4.44.2
v4.45.0
v4.45.1
v4.45.2
v4.45.3
v4.45.4
v4.46.0
v4.46.1
v4.46.2
v4.46.3
v4.47.0
v4.47.1
v4.47.2
v4.48.0
v4.48.1
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.6.1
v4.7.0
v4.7.1
v4.8.0
v4.8.1
v4.9.0
v4.9.1
v4.9.2
v5.*
v5.0.0
v5.0.1
v5.1.0
v5.2.0
v5.3.0
v5.4.0
v5.5.0
v5.7.0
v5.8.0
v5.8.1
v5.8.2
v5.9.0
v5.9.2
v5.9.3
v5.9.4
v5.9.6
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.1.0
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.3.0
v6.3.1
v6.4.0
v6.4.1
v6.4.2
v6.4.3
v6.5.0
v6.5.1
v6.6.0
v6.6.2