SB2025031350 - Arbitrary file upload in Flowise
Published: March 13, 2025 Updated: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Arbitrary file upload (CVE-ID: N/A)
CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to upload arbitrary files.
The vulnerability exists due to unrestricted file upload in the /api/v1/attachments endpoint when handling unauthenticated file upload requests with attacker-controlled path parameters. A remote attacker can send a specially crafted request to upload arbitrary files.
The issue is exposed only when the storageType setting is configured as local, which is the default configuration.
Remediation
Install update from vendor's website.