Home > Vulnerability Database > CVE-2025-67750

Mend.io Vulnerability Database

CVE-2025-67750

Good to know:

Date: December 12, 2025

Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.

Severity Score

8.4

Related Resources (6)

Url: https://github.com/Flow-Scanner/lightning-flow-scanner/security/advisories/GHSA-55jh-84jv-8mx8

Url: https://github.com/Flow-Scanner/lightning-flow-scanner/releases/tag/core-v6.10.6

Url: https://github.com/Flow-Scanner/lightning-flow-scanner

Url: https://github.com/Flow-Scanner/lightning-flow-scanner/commit/10f64a5eb193d8a777e453b25e910144e4540795

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-67750

Url: https://www.mend.io/vulnerability-database/CVE-2025-67750

Severity Score

8.4

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Top Fix

Upgrade Version

Upgrade to version lightning-flow-scanner - 6.10.6;https://github.com/Flow-Scanner/lightning-flow-scanner.git - core-v6.10.6

Learn More

CVSS v3.1

Base Score:	8.4
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-67750

Good to know:

Date: December 12, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?