Overview
A critical vulnerability, identified as CVE-2025-67750, has been discovered in Lightning Flow Scanner, a widely used tool for Salesforce Flow analysis and optimization. This high-severity flaw (CVSS 8.4) allows arbitrary JavaScript execution through maliciously crafted flow metadata files. Specifically, versions 6.10.5 and below of the CLI plugin, VS Code Extension, and GitHub Action are susceptible. Attackers can leverage the `APIVersion` rule’s use of `new Function()` to evaluate untrusted expression strings, posing a significant risk to developer workstations, CI/CD pipelines, and integrated development environments.
Technical Details
The core of CVE-2025-67750 lies in the insecure handling of expression strings by the `APIVersion` rule within Lightning Flow Scanner. This rule employs `new Function()` for evaluating dynamic expressions. An attacker can inject malicious JavaScript into either the rule’s configuration or, more critically, directly into a crafted Salesforce flow metadata file. When a vulnerable version of Lightning Flow Scanner processes this malicious metadata, the embedded JavaScript executes within the context of the scanning process.
The attack vector is straightforward: an attacker provides a seemingly legitimate but subtly malicious flow metadata file. When a developer or automated system scans this file, the `APIVersion` rule, attempting to evaluate a specific expression, instead executes the attacker’s JavaScript code. This leads to arbitrary code execution on the host system running the scanner. This includes developer machines using the VS Code Extension or CLI, and CI/CD runners utilizing the GitHub Action. Such compromise can facilitate credential theft, exfiltration of sensitive data, lateral movement within a network, or even the injection of malicious code into a build pipeline, creating a potential supply chain attack vector. For a full report on this vulnerability, including detailed exploit metrics, visit CVE-2025-67750 Details.
Affected Systems
The vulnerability impacts all components of Lightning Flow Scanner that are based on versions 6.10.5 and below. This explicitly includes:
- The Lightning Flow Scanner CLI plugin
- The Lightning Flow Scanner VS Code Extension
- The Lightning Flow Scanner GitHub Action
Organizations utilizing these tools to scan Salesforce Flows, particularly those processing metadata from untrusted sources or shared repositories, face immediate risk.
Remediation
Organizations and individual developers must take immediate action to mitigate the risk posed by CVE-2025-67750.
- Upgrade Immediately: Upgrade all instances of Lightning Flow Scanner to version 6.10.6 or later. This version contains the necessary patch to address the insecure use of `new Function()`.
- Verify All Deployments: Ensure that all instances of the CLI plugin, VS Code Extension, and GitHub Action are updated across developer machines, build servers, and CI/CD environments.
- Scan Trusted Sources: Exercise caution when scanning Salesforce flow metadata from untrusted or unverified sources. Implement strict code review processes for all flow metadata, especially for newly introduced or modified files.
Proactive patching and a vigilant approach to code integrity are paramount to protecting development environments and CI/CD pipelines from this severe arbitrary code execution vulnerability.
