Listen to this Post
The vulnerability exists in the `ReadFileTool` class within the Flowise application. This tool is designed to allow Large Language Models (LLMs) to read files from the server’s filesystem. The tool’s `_call` method directly uses the user-supplied `file_path` parameter without performing any path validation or sanitization. It passes this input directly to the `store.readFile(file_path)` function. This lack of restriction means an authenticated attacker can provide an absolute path to any file on the system, such as `/etc/passwd` or /root/.flowise/encryption.key. The tool will then read and return the contents of that specified file, leading to unauthorized disclosure of sensitive information. This arbitrary file read can expose secrets, database files, and SSH keys, which can be leveraged for further attacks, including remote command execution.
Platform: Flowise
Version: <=1.8.2
Vulnerability: Path Traversal
Severity: Critical
date: 2024-10-23
Prediction: 2024-11-13
What Undercode Say:
find packages/components/nodes/tools/ReadFile -name ".ts" -exec grep -l "file_path" {} \;
// packages/components/nodes/tools/ReadFile/ReadFile.ts
async _call({ file_path }: z.infer<typeof this.schema>) {
return await this.store.readFile(file_path) // Vulnerable line
}
docker exec -it flowise_container cat /root/.flowise/encryption.key
How Exploit:
Authenticated user accesses AgentFlow.
Imports malicious agent.json configuration.
Uses ReadFileTool with absolute path.
Retrieves sensitive file contents.
Protection from this CVE:
Implement path sanitization.
Restrict base directory.
Apply access controls.
Validate user input.
Impact:
Information Disclosure
Privilege Escalation
Remote Code Execution
Data Theft
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
