Hi Kim,

I can confirm FME Flow is not affected by CVE-2024-56337, CVE-2024-50379 or CVE-2025-24813, since these vulnerabilities require write access to the default servlet which Flow doesn’t provide.

Sorry it took so long for you to get a response to this! 

Thanks,
Zoe

Edit: Since this response, we’ve published an article on CVE-2025-24813’s impact on FME.

​@zoeforbes Is there going to be any article regarding CVE-2025-24813, which we can point clients to?

My indication yesterday to clients was that the default servlet is readonly, but I also said you guys would be looking into it to confirm.

Hi ​@todd_davis, there isn’t an article yet but I’ve let the Knowledge Base team know it’s been requested. They do however tend to only create articles for vulnerabilities affecting FME, so one may not be published.

If clients remain concerned, please feel free to submit ticket with them CC’d. Unfortunately, there isn’t much more information we can provide beyond confirming that the vulnerabilities I mentioned above don’t affect Flow as the default servlet is read-only.

Thanks ​@zoe.forbes. I have sent relevant clients a screenshot of your initial response, so hopefully that will suffice.