Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, low-complexity, unauthenticated file write with no user interaction yields full RCE; scope changed (S:C) as the write escapes the storage sandbox to host files.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.
AnalysisAI
Arbitrary file write leading to remote code execution in FlowiseAI Flowise (versions <= 2.2.7) lets unauthenticated remote attackers overwrite any file on the host via the /api/v1/document-store/loader/process endpoint. The fileName parameter is passed unsanitized into path.join() inside storageUtils.ts, so ../ sequences escape the storage directory; overwriting package.json injects a malicious start script that executes on the next application restart. Publicly available exploit code exists (vendor GHSA PoC overwriting package.json), and the issue carries a CVSS 4.0 base score of 10.0; no public active-exploitation listing was identified at time of analysis.
Technical ContextAI
Flowise is an open-source low-code/drag-and-drop builder for LLM orchestration and AI agent workflows, distributed as the npm package 'flowise'. The flaw is rooted in CWE-73 (External Control of File Name or Path): the file-storage helpers addBase64FilesToStorage, addArrayFilesToStorage, and addSingleFileToStorage in packages/components/src/storageUtils.ts construct a destination via path.join(dir, fileName) followed by fs.writeFileSync(filePath, bf), where fileName originates from untrusted request input. Because path.join resolves ../ traversal segments, the effective write target can be relocated to any location the Node process can write to. The document-store loader/process API surfaces this primitive without authentication, turning a file-write into RCE by overwriting build/run manifests such as package.json.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - apply the upstream remediation commit https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 referenced in the GHSA advisory, and monitor https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-8vvx-qvq9-5948 for a tagged release above 2.2.7 since no fixed version is published in package metadata. Until a tagged build is confirmed, place Flowise behind authentication and a reverse proxy that blocks or rejects requests to /api/v1/document-store/loader/process from untrusted networks, and restrict network exposure so the instance is not internet-facing (trade-off: breaks legitimate remote document-store ingestion). As a compensating control, run the Node process under a low-privilege user with the application directory and package.json mounted read-only so traversal writes to critical manifests fail (trade-off: may break features that legitimately write to storage and require build-time write access). Validate and reject any fileName containing ../ or absolute paths at the proxy/WAF layer as an interim filter.
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c
FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una
Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210343
GHSA-c3hj-m5hq-59xw