flowise 2.2.3 vulnerabilities

Known vulnerabilities in the flowise package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
C Arbitrary File Upload flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary File Upload through the `/api/v1/attachments` endpoint. An attacker can upload malicious files to the server by sending specially crafted requests to this endpoint. Note: This is only exploitable if the server configuration allows file uploads without proper validation or sanitization. How to fix Arbitrary File Upload? There is no fixed version for `flowise`.	*
H Uncontrolled Resource Consumption flowise is a Flowiseai Server Affected versions of this package are vulnerable to Uncontrolled Resource Consumption through the `/api/v1/get-upload-file` API endpoint. An attacker can cause the application to crash by sending specially crafted input. How to fix Uncontrolled Resource Consumption? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/api/v1/public-chatflows/id` endpoint, which returns a 404 page in the absence of a chatflow ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `/api/v1/chatflows-streaming/id`, which returns a 404 page in the absence of a streaming ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/api/v1/credentials/id` endpoint, which returns a 404 page in the absence of a credential ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `api/v1/chatflows/id` endpoint, which returns a 404 page in the absence of a chatflow ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
H Path Traversal flowise is a Flowiseai Server Affected versions of this package are vulnerable to Path Traversal due to improper sanitization of the `filename` parameter used by the `/api/v1/openai-assistants-file` endpoint. An attacker can pass in a path traversal string to read arbitrary files on the vulnerable file system. How to fix Path Traversal? There is no fixed version for `flowise`.	*

Vulnerability

Vulnerable Version

Arbitrary File Upload

flowise is a Flowiseai Server

Affected versions of this package are vulnerable to Arbitrary File Upload through the /api/v1/attachments endpoint. An attacker can upload malicious files to the server by sending specially crafted requests to this endpoint.

Note:

This is only exploitable if the server configuration allows file uploads without proper validation or sanitization.

How to fix Arbitrary File Upload?