Flowise File Upload Vulnerability Allowing Remote Code Execution

A file upload vulnerability has been identified in Flowise version 3.0.7. This vulnerability allows authenticated users to upload arbitrary files without proper validation, enabling the persistent storage of malicious Node.js web shells on the server. The issue arises because the application fails to validate file extensions, MIME types, or file content during the upload process. As a result, harmful scripts can be uploaded and executed if the web shell is triggered, potentially leading to remote code execution. This vulnerability poses a high-severity risk to the application's integrity and confidentiality.

Impact

Exploitation of this vulnerability allows for the persistent upload of malicious web shells, which can be executed to achieve remote code execution on the server.

Reproduction

The vulnerability can be reproduced by sending a POST request to the Flowise API attachment endpoint with a file that contains a web shell script. The request must include a valid JWT token in the cookie header to authenticate the user. Once the file is uploaded, the web shell can be accessed and executed via its exposed HTTP endpoint.