Listen to this Post
The vulnerability stems from insufficient validation of user-supplied `chatflowid` and `chatId` parameters within multiple API endpoints. In Case 1, the `addBase64FilesToStorage` function uses the unsanitized `chatflowid` from the request body to construct a filesystem path via path.join(getStoragePath(), chatflowid). An attacker can provide a `chatflowid` containing directory traversal sequences (e.g., ../../tmp), causing the application to write a file to an arbitrary, controlled location. In Case 2, the `streamStorageFile` function uses similar unsanitized parameters to generate a path for file retrieval from local storage or cloud buckets (like S3, where `../` is valid), allowing arbitrary file read. The affected endpoints are whitelisted, permitting unauthenticated exploitation.
Platform: Flowise
Version: Pre-1.4.3
Vulnerability: Path Traversal
Severity: Critical
date: 2024-03-26
Prediction: Patch by 2024-04-02
What Undercode Say:
curl -X POST http://localhost:8080/api/v1/chatflows -H "x-request-from: internal" -d '{"id":"../../tmp/pwn", ...}'
const dir = path.join(getStoragePath(), chatflowid) // Vulnerable line
How Exploit:
import requests
url = "http://target:8080/api/v1/chatflows"
data = {"id":"../../../../etc/passwd", "flowData":"{}"}
requests.post(url, json=data, headers={"x-request-from": "internal"})
Protection from this CVE
Update to version 1.4.3. Implement strict UUID validation for all `chatflowId` and `chatId` parameters. Sanitize user input for path construction.
Impact:
Arbitrary File Write
Arbitrary File Read
Remote Code Execution
Data Breach
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

