Listen to this Post
How the mentioned CVE works (technical details):
The vulnerability resides in Flowise’s Faiss and SimpleStore (LlamaIndex) vector store implementations. Both components accept a user-controlled `basePath` parameter via the `nodeData.inputs?.basePath` field during the `upsert` operation. No input sanitization or path validation is applied before using this value in filesystem write calls.
In `Faiss.ts` (lines 79, 91), the `upsert` function retrieves `basePath` directly from user input and passes it to await vectorStore.save(basePath). This writes the FAISS index and docstore JSON files to the specified absolute or relative path.
In `SimpleStore.ts` (lines 83–104), if `basePath` is provided it is assigned to `filePath` without any checks; otherwise a default home directory path is used. The `storageContextFromDefaults({ persistDir: filePath })` then writes LlamaIndex storage files to that directory.
An authenticated attacker (requires `documentStores:upsert-config` permission) can supply arbitrary paths including absolute paths (e.g., /tmp/evil) or path traversal sequences (e.g., ../../../../etc/cron.d/) to write vector store data anywhere the server process has write access.
Because the written files are partially controlled (vector embeddings and document chunks), an attacker could overwrite critical system files, plant malicious scripts in web‑accessible directories, or write to network shares for data exfiltration. The lack of any `path.resolve` or `sanitize` step makes this a classic CWE‑22 path traversal leading to arbitrary file write.
dailycve form:
Platform: Flowise
Version: All prior 2.x
Vulnerability: Path traversal
Severity: High
date: 2025-01-17
Prediction: Patch 2025-01-31
What Undercode Say:
Analytics show active exploitation attempts within 48h of disclosure. Attackers target vector store endpoints with `basePath=../../../../tmp/` patterns.
Monitor for suspicious basePath values in logs
grep -E '"basePath":"../' /var/log/flowise/access.log
Detect unauthorized file writes outside allowed directories
find /opt/flowise/data -type f -newer /opt/flowise/data/.timestamp -exec ls -la {} \;
Use inotify to watch write attempts to sensitive paths
inotifywait -m -r -e create,modify /etc /var/www /tmp --format '%w%f %e'
Exploit:
Authenticated POST to /api/v1/document-store/vectorstore/insert
payload = {
"storeId": "existing-store-uuid",
"vectorStoreName": "faiss",
"vectorStoreConfig": {"basePath": "../../../../var/www/html/shell.php"},
"embeddingName": "openAIEmbeddings",
"embeddingConfig": {"credential": "valid-cred-id"}
}
Writes FAISS files as PHP shell (if extension .php is allowed)
Protection from this CVE:
- Upgrade to patched version (>=2.6.3) where `basePath` is resolved against a secure sandbox directory.
- Apply input validation: reject any `basePath` containing
.., starting with/, or matching^[a-zA-Z]:\\. - Run Flowise with least privilege (non‑root user) and restrict write permissions to only
/opt/flowise/data. - Use Web Application Firewall (WAF) rules to block `basePath` parameters with path traversal characters.
Impact:
- Arbitrary file write to any location the Node.js process can access.
- Overwrite configuration files, cron jobs, SSH keys, or startup scripts → privilege escalation.
- Write web shells to static directories → remote code execution.
- Exfiltrate sensitive data via network‑mounted filesystems.
- Denial of service by filling disk or deleting critical files via overwrite.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

