CVE-2025-26319 Scanner

FlowiseAI Flowise is a widely used AI workflow platform designed to facilitate the creation, deployment, and management of AI-driven workflows. It simplifies complex machine learning operations through an intuitive, user-friendly interface, enabling users to automate complex tasks effortlessly. FlowiseAI Flowise supports integrations with numerous AI tools and data sources, making it a popular solution among developers and organizations seeking scalable automation capabilities. This platform allows users to visually build and configure advanced workflows without extensive coding experience. It is particularly popular among teams aiming for rapid AI prototyping and deployment. FlowiseAI Flowise is commonly hosted in cloud or self-managed environments to streamline AI workflows and data management.

FlowiseAI Flowise version 2.2.6 and earlier are vulnerable to Arbitrary File Upload. The vulnerability exists due to insufficient file upload validation mechanisms in the FlowiseAI platform. An attacker can exploit this vulnerability by crafting and uploading a specially crafted file to the server. By leveraging this flaw, an attacker can traverse directories and overwrite critical configuration files. Specifically, attackers can overwrite the configuration file `.flowise/api.json` via crafted uploads. This vulnerability may enable attackers to compromise the application's security and gain unauthorized access.

The vulnerability is located in the file upload mechanism of the FlowiseAI Flowise application. Attackers exploit the arbitrary file upload vulnerability by sending crafted multipart requests to a specific endpoint at '.flowise'. The affected endpoint is '/.flowise/api.json', where uploaded files are inadequately validated. The uploaded file can overwrite critical configuration files stored in unintended locations outside the upload directory. Specifically, the vulnerable parameter is the file upload field, which lacks adequate validation for file type and file path. By leveraging multiple directory traversal sequences, an attacker can overwrite sensitive configuration files. Exploitation can be performed remotely without authentication, significantly increasing the risk.

The successful exploitation of this vulnerability could result in remote code execution on the server, allowing attackers to execute arbitrary commands. Attackers may modify configuration files to escalate privileges, access sensitive data, or fully compromise the affected server. Overwriting crucial configuration files may lead to application malfunction, denial of service, or data corruption. Additionally, attackers could inject backdoors or malicious scripts, leading to persistent threats. Sensitive information, including API keys and credentials, could be disclosed, further exposing the system and underlying infrastructure. The vulnerability poses a critical risk to the confidentiality, integrity, and availability of the application and underlying systems.

REFERENCES

• https://github.com/advisories/GHSA-69jq-qr7w-j7qh
• https://github.com/FlowiseAI/Flowise