Flowise Path Injection at /api/v1/openai-assistants-file

GHSA-h997-3fxj-p5j8 · CVE-2024-36420

Published Aug 5, 2024 · Modified Aug 5, 2024

Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to lack of sanitization of the fileName body parameter. No known patches for this issue are available.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-36420
PACKAGE https://github.com/FlowiseAI/Flowise
WEB https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982
ADVISORY https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes