Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-gver-jbrj-zqfu
Vulnerability ID VCID-gver-jbrj-zqfu
Aliases GHSA-h42x-xx2q-6v6g
Summary Flowise Pre-auth Arbitrary File Upload ## Summary An unauthorized attacker can leverage the whitelisted route `/api/v1/attachments` to upload arbitrary files when the `storageType` is set to **local** (default). ## Details When a new request arrives, the system first checks if the URL starts with `/api/v1/`. If it does, the system then verifies whether the URL is included in the whitelist (*whitelistURLs*). If the URL is whitelisted, the request proceeds; otherwise, the system enforces authentication. @ */packages/server/src/index.ts* ```typescript this.app.use(async (req, res, next) => { // Step 1: Check if the req path contains /api/v1 regardless of case if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) { // Step 2: Check if the req path is case sensitive if (URL_CASE_SENSITIVE_REGEX.test(req.path)) { // Step 3: Check if the req path is in the whitelist const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url)) if (isWhitelisted) { next() } else if (req.headers['x-request-from'] === 'internal') { basicAuthMiddleware(req, res, next) } else { const isKeyValidated = await validateAPIKey(req) if (!isKeyValidated) { return res.status(401).json({ error: 'Unauthorized Access' }) } next() } } else { return res.status(401).json({ error: 'Unauthorized Access' }) } } else { // If the req path does not contain /api/v1, then allow the request to pass through, example: /assets, /canvas next() } } ``` **The whitelist is defined as follows** ```typescript export const WHITELIST_URLS = [ '/api/v1/verify/apikey/', '/api/v1/chatflows/apikey/', '/api/v1/public-chatflows', '/api/v1/public-chatbotConfig', '/api/v1/prediction/', '/api/v1/vector/upsert/', '/api/v1/node-icon/', '/api/v1/components-credentials-icon/', '/api/v1/chatflows-streaming', '/api/v1/chatflows-uploads', '/api/v1/openai-assistants-file/download', '/api/v1/feedback', '/api/v1/leads', '/api/v1/get-upload-file', '/api/v1/ip', '/api/v1/ping', '/api/v1/version', '/api/v1/attachments', '/api/v1/metrics' ] ``` This means that every route in the whitelist does not require authentication. Now, let's examine the `/api/v1/attachments` route. @ */packages/server/src/routes/attachments/index.ts* ```typescript const router = express.Router() // CREATE router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment) export default router ``` After several calls, the request reaches the `createFileAttachment` function @ (*packages/server/src/utils/createAttachment.ts*) Initially, the function retrieves *chatflowid* and *chatId* from the request without any additional validation. The only check performed is whether these parameters exist in the request. ```typescript const chatflowid = req.params.chatflowId if (!chatflowid) { throw new Error( 'Params chatflowId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId' ) } const chatId = req.params.chatId if (!chatId) { throw new Error( 'Params chatId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId' ) } ``` Next, the function retrieves the uploaded files and attempts to add them to the storage by calling the `addArrayFilesToStorage` function. ```typescript const files = (req.files as Express.Multer.File[]) || [] const fileAttachments = [] if (files.length) { // ... for (const file of files) { const fileBuffer = await getFileFromUpload(file.path ?? file.key) // get the uploaded file const fileNames: string[] = [] file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8') // add it to the storage const storagePath = await addArrayFilesToStorage(file.mimetype, fileBuffer, file.originalname, fileNames, chatflowid, chatId) // add it to the storage // ... await removeSpecificFileFromUpload(file.path ?? file.key) // delete from tmp // ... fileAttachments.push({ name: file.originalname, mimeType: file.mimetype, size: file.size, content }) } catch (error) { throw new Error(`Failed operation: createFileAttachment - ${getErrorMessage(error)}`) } } } return fileAttachments ``` Now lets take a look at `addArrayFilesToStorage` function @ (*/packages/components/src/storageUtils.ts*) ```typescript export const addArrayFilesToStorage = async (mime: string, bf: Buffer, fileName: string, fileNames: string[], ...paths: string[]) => { const storageType = getStorageType() const sanitizedFilename = _sanitizeFilename(fileName) if (storageType === 's3') { // ... } else { const dir = path.join(getStoragePath(), ...paths) // PATH TRAVERSAL. if (!fs.existsSync(dir)) { fs.mkdirSync(dir, { recursive: true }) } const filePath = path.join(dir, sanitizedFilename) fs.writeFileSync(filePath, bf) fileNames.push(sanitizedFilename) return 'FILE-STORAGE::' + JSON.stringify(fileNames) } } ``` As noted in the comment, to construct the directory, the function joins the output of the `getStoragePath` function with `...paths`, which are essentially the `chatflowid` and `chatId` extracted earlier from the request. However, as mentioned previously, these values are not validated to ensure they are UUIDs or numbers. As a result, an attacker could manipulate these variables to set the **dir** variable to any value. Combined with the fact that the filename is also provided by the user, this leads to **unauthenticated arbitrary file upload**. ## POC This is the a HTTP request. As observed, we are not authenticated, and by manipulating the `chatId` parameter, we can perform a path traversal. In this example, we overwrite the `api.json` file, which contains the API keys for the system. ![File Uplaod Vulnerability.](https://lh3.googleusercontent.com/d/1zcr-MSJUnRbGRmnoD_meo5uh8Hf8FaEK) > in this example, the **dir** variable will be ```typescript var dir = '/root/.flowise/storage/test/../../../../../../../../root/.flowise/' ``` > and the file name is `api.json` And the API Keys in the UI ![File Uplaod Vulnerability.](https://lh3.googleusercontent.com/d/1Y0jl8uQuzpp0EFyUzCItifiG5UW35hhV) ### Impact This vulnerability could potentially lead to * Remote Code Execution * Server Takeover * Data Theft And more
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-h42x-xx2q-6v6g
cvssv4 9.3 https://github.com/FlowiseAI/Flowise
generic_textual CRITICAL https://github.com/FlowiseAI/Flowise
cvssv4 9.3 https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7
generic_textual CRITICAL https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7
cvssv3.1_qr CRITICAL https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g
cvssv4 9.3 https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g
generic_textual CRITICAL https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g
Reference id Reference type URL
https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g
GHSA-h42x-xx2q-6v6g https://github.com/advisories/GHSA-h42x-xx2q-6v6g
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/FlowiseAI/Flowise
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-12T07:54:16.115850+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-h42x-xx2q-6v6g/GHSA-h42x-xx2q-6v6g.json 38.6.0