Listen to this Post
The vulnerability exists in the WriteFileTool component within Flowise. This tool, designed for LLM file operations, accepts a `file_path` and `text` content from user input without performing any path validation or sanitization. The `_call` method in `WriteFile.ts` directly passes the user-supplied `file_path` and `text` to the `store.writeFile` function. This lack of restriction allows an authenticated attacker to specify an absolute path to any location on the server’s filesystem that the Flowise application has write permissions for. Consequently, arbitrary file content can be written to critical system locations. This primitive can be chained to achieve Remote Code Execution, for example, by overwriting the `package.json` start script, planting a malicious dynamic library, or adding an SSH authorized key.
Platform: Flowise
Version: <=1.4.3
Vulnerability: Arbitrary File Write
Severity: Critical
date: 2024-10-15
Prediction: 2024-11-05
What Undercode Say:
docker pull flowiseai/flowise:latest docker run -d -p 3000:3000 flowiseai/flowise docker exec -it <container_id> sh cat /tmp/hacked.txt
// packages/components/nodes/tools/WriteFile/WriteFile.ts
async _call({ file_path, text }) {
await this.store.writeFile(file_path, text);
return 'File written to successfully.';
}
How Exploit:
1. Attacker authenticates to Flowise.
2. Creates an AgentFlow with WriteFileTool.
- Issues a command like: Write “malicious content” to /app/package.json.
- The tool writes the content to the specified path.
5. Overwriting package.json scripts leads to RCE.
Protection from this CVE:
Apply vendor patch.
Implement path sanitization.
Restrict write permissions.
Use sandboxing.
Impact:
Remote Code Execution
System Compromise
SSH Backdoor Access
Data Manipulation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
