← voltar
CVE-2025-71333

Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint

CVSS 9.3 CRITICALEPSS 0.5%CWE-73
Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Produtos afetados
Flowise · Flowise

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6ghttps://www.vulncheck.com/advisories/flowise-arbitrary-file-upload-via-unauthenticated-api-v1-attachments-endpoint