GHSA-J8G8-J7FC-43V6

Vulnerability from github – Published: 2026-03-06 18:49 – Updated: 2026-03-09 13:15
VLAI?
Summary
Flowise has Arbitrary File Upload via MIME Spoofing
Details

Vulnerability Description

Vulnerability Overview

  • The /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API.
  • While the server validates uploads based on the MIME types defined in chatbotConfig.fullFileUpload.allowedUploadFileTypes, it implicitly trusts the client-provided Content-Type header (file.mimetype) without verifying the file's actual content (magic bytes) or extension (file.originalname).
  • Consequently, an attacker can bypass this restriction by spoofing the Content-Type as a permitted type (e.g., application/pdf) while uploading malicious scripts or arbitrary files. Once uploaded via addArrayFilesToStorage, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE).

Vulnerable Code

  • Upload Route Definition

    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/attachments/index.ts#L7-L10

    tsx // CREATE router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment) export default router

  • Mount /api/v1/attachments to the global router

    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/index.ts#L72-L77

    tsx const router = express.Router() router.use('/ping', pingRouter) router.use('/apikey', apikeyRouter) router.use('/assistants', assistantsRouter) router.use('/attachments', attachmentsRouter)

  • Include /api/v1/attachments in the WHITELIST_URLS list

    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/constants.ts#L6-L26

    tsx export const WHITELIST_URLS = [ '/api/v1/verify/apikey/', '/api/v1/chatflows/apikey/', '/api/v1/public-chatflows', '/api/v1/public-chatbotConfig', '/api/v1/public-executions', '/api/v1/prediction/', '/api/v1/vector/upsert/', '/api/v1/node-icon/', '/api/v1/components-credentials-icon/', '/api/v1/chatflows-streaming', '/api/v1/chatflows-uploads', '/api/v1/openai-assistants-file/download', '/api/v1/feedback', '/api/v1/leads', '/api/v1/get-upload-file', '/api/v1/ip', '/api/v1/ping', '/api/v1/version', '/api/v1/attachments', '/api/v1/metrics',

  • Bypass JWT validation if the URL is whitelisted

    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/index.ts#L213-L228

    ```tsx const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : [] const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url)) const URL_CASE_INSENSITIVE_REGEX: RegExp = /\/api\/v1\//i const URL_CASE_SENSITIVE_REGEX: RegExp = /\/api\/v1\//

        await initializeJwtCookieMiddleware(this.app, this.identityManager)

    this.app.use(async (req, res, next) => {
        // Step 1: Check if the req path contains /api/v1 regardless of case
        if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {
            // Step 2: Check if the req path is casesensitive
            if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {
                // Step 3: Check if the req path is in the whitelist
                const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))
                if (isWhitelisted) {
                    next()

    ```

  • Multer Configuration: Saves files without file type validation

    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/index.ts#L1917-L1960

    ```tsx export const getUploadPath = (): string => { return process.env.BLOB_STORAGE_PATH ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads') : path.join(getUserHome(), '.flowise', 'uploads') }

    export function generateId() { return uuidv4() }

    export const getMulterStorage = () => { const storageType = process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'

    if (storageType === 's3') {
    const s3Client = getS3Config().s3Client
    const Bucket = getS3Config().Bucket

    const upload = multer({
        storage: multerS3({
            s3: s3Client,
            bucket: Bucket,
            metadata: function (req, file, cb) {
                cb(null, { fieldName: file.fieldname, originalName: file.originalname })
            },
            key: function (req, file, cb) {
                cb(null, `${generateId()}`)
            }
        })
    })
    return upload
} else if (storageType === 'gcs') {
    return multer({
        storage: new MulterGoogleCloudStorage({
            projectId: process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID,
            bucket: process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME,
            keyFilename: process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL,
            uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,
            destination: `uploads/${generateId()}`
        })
    })
} else {
    return multer({ dest: getUploadPath() })
}

    } ```

  • Transfers uploaded files to storage without verification

    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/createAttachment.ts#L124-L158

    ``tsx const files = (req.files as Express.Multer.File[]) || [] const fileAttachments = [] if (files.length) { const isBase64 = req.body.base64 for (const file of files) { if (!allowedFileTypes.length) { throw new InternalFlowiseError( StatusCodes.BAD_REQUEST,File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}` ) }

            // Validate file type against allowed types
        if (allowedFileTypes.length > 0 && !allowedFileTypes.includes(file.mimetype)) {
            throw new InternalFlowiseError(
                StatusCodes.BAD_REQUEST,
                `File type '${file.mimetype}' is not allowed. Allowed types: ${allowedFileTypes.join(', ')}`
            )
        }

        await checkStorage(orgId, subscriptionId, appServer.usageCacheManager)

        const fileBuffer = await getFileFromUpload(file.path ?? file.key)
        const fileNames: string[] = []
        // Address file name with special characters: https://github.com/expressjs/multer/issues/1104
        file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8')
        const { path: storagePath, totalSize } = await addArrayFilesToStorage(
            file.mimetype,
            fileBuffer,
            file.originalname,
            fileNames,
            orgId,
            chatflowid,
            chatId
        )

    ```

PoC

PoC Description

  • Create a local file named shell.js containing arbitrary JavaScript code (or a malicious payload).
  • Send a multipart/form-data request to the /api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/:chatId endpoint without any authentication (login, session, or API keys).
  • During the upload, retain the filename as shell.js but spoof the Content-Type header as application/pdf.
  • This exploits the server's reliance solely on the client-provided file.mimetype, forcing it to process the malicious JS file as an allowed PDF, thereby confirming unauthenticated arbitrary file upload.

PoC

curl -X POST \
  "http://localhost:3000/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/$(uuidgen)" \
  -F "files=@shell.js;type=application/pdf"

image

Impact

1. Root Cause The vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., .js, .php) or malicious scripts (.html) by masquerading them as benign images or documents.

2. Key Attack Scenarios

  • Server Compromise (RCE): An attacker uploads a Web Shell and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized access to internal data and full control over the server.
  • Client-Side Attack (Stored XSS): An attacker uploads files containing malicious scripts (e.g., HTML, SVG). When a victim views the file, the script executes within their browser, leading to session cookie theft and account takeover.

3. Impact This vulnerability is rated as High severity. The risk is particularly critical if the system utilizes shared storage (e.g., S3, GCS) or static hosting features, as the compromise could spread to the entire infrastructure and affect other tenants.

Severity ?
8.2 (High)
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.12"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T18:49:20Z",
    "nvd_published_at": "2026-03-07T05:16:26Z",
    "severity": "HIGH"
  },
  "details": "### Vulnerability **Description**\n\n---\n\n**Vulnerability Overview**\n \n- The `/api/v1/attachments/:chatflowId/:chatId` endpoint is listed in `WHITELIST_URLS`, allowing unauthenticated access to the file upload API.\n- While the server validates uploads based on the MIME types defined in `chatbotConfig.fullFileUpload.allowedUploadFileTypes`, it implicitly trusts the client-provided `Content-Type` header (`file.mimetype`) without verifying the file\u0027s actual content (magic bytes) or extension (`file.originalname`).\n- Consequently, an attacker can bypass this restriction by spoofing the `Content-Type` as a permitted type (e.g., `application/pdf`) while uploading malicious scripts or arbitrary files. Once uploaded via `addArrayFilesToStorage`, these files persist in backend storage (S3, GCS, or local disk). This vulnerability serves as a critical entry point that, when chained with other features like static hosting or file retrieval, can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE).\n\n**Vulnerable Code**\n\n- Upload Route Definition\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/attachments/index.ts#L7-L10\n    \n    ```tsx\n    // CREATE\n    router.post(\u0027/:chatflowId/:chatId\u0027, getMulterStorage().array(\u0027files\u0027), attachmentsController.createAttachment)\n    export default router\n    ```\n    \n- Mount /api/v1/attachments to the global router\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/routes/index.ts#L72-L77\n    \n    ```tsx\n    const router = express.Router()\n    router.use(\u0027/ping\u0027, pingRouter)\n    router.use(\u0027/apikey\u0027, apikeyRouter)\n    router.use(\u0027/assistants\u0027, assistantsRouter)\n    router.use(\u0027/attachments\u0027, attachmentsRouter)\n    ```\n    \n- Include /api/v1/attachments in the WHITELIST_URLS list\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/constants.ts#L6-L26\n    \n    ```tsx\n    export const WHITELIST_URLS = [\n        \u0027/api/v1/verify/apikey/\u0027,\n        \u0027/api/v1/chatflows/apikey/\u0027,\n        \u0027/api/v1/public-chatflows\u0027,\n        \u0027/api/v1/public-chatbotConfig\u0027,\n        \u0027/api/v1/public-executions\u0027,\n        \u0027/api/v1/prediction/\u0027,\n        \u0027/api/v1/vector/upsert/\u0027,\n        \u0027/api/v1/node-icon/\u0027,\n        \u0027/api/v1/components-credentials-icon/\u0027,\n        \u0027/api/v1/chatflows-streaming\u0027,\n        \u0027/api/v1/chatflows-uploads\u0027,\n        \u0027/api/v1/openai-assistants-file/download\u0027,\n        \u0027/api/v1/feedback\u0027,\n        \u0027/api/v1/leads\u0027,\n        \u0027/api/v1/get-upload-file\u0027,\n        \u0027/api/v1/ip\u0027,\n        \u0027/api/v1/ping\u0027,\n        \u0027/api/v1/version\u0027,\n        \u0027/api/v1/attachments\u0027,\n        \u0027/api/v1/metrics\u0027,\n    ```\n    \n- Bypass JWT validation if the URL is whitelisted\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/index.ts#L213-L228\n    \n    ```tsx\n            const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(\u0027,\u0027) : []\n            const whitelistURLs = WHITELIST_URLS.filter((url) =\u003e !denylistURLs.includes(url))\n            const URL_CASE_INSENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//i\n            const URL_CASE_SENSITIVE_REGEX: RegExp = /\\/api\\/v1\\//\n    \n            await initializeJwtCookieMiddleware(this.app, this.identityManager)\n    \n            this.app.use(async (req, res, next) =\u003e {\n                // Step 1: Check if the req path contains /api/v1 regardless of case\n                if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {\n                    // Step 2: Check if the req path is casesensitive\n                    if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {\n                        // Step 3: Check if the req path is in the whitelist\n                        const isWhitelisted = whitelistURLs.some((url) =\u003e req.path.startsWith(url))\n                        if (isWhitelisted) {\n                            next()\n    ```\n    \n- Multer Configuration: Saves files without file type validation\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/index.ts#L1917-L1960\n    \n    ```tsx\n    export const getUploadPath = (): string =\u003e {\n        return process.env.BLOB_STORAGE_PATH\n            ? path.join(process.env.BLOB_STORAGE_PATH, \u0027uploads\u0027)\n            : path.join(getUserHome(), \u0027.flowise\u0027, \u0027uploads\u0027)\n    }\n    \n    export function generateId() {\n        return uuidv4()\n    }\n    \n    export const getMulterStorage = () =\u003e {\n        const storageType = process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : \u0027local\u0027\n    \n        if (storageType === \u0027s3\u0027) {\n            const s3Client = getS3Config().s3Client\n            const Bucket = getS3Config().Bucket\n    \n            const upload = multer({\n                storage: multerS3({\n                    s3: s3Client,\n                    bucket: Bucket,\n                    metadata: function (req, file, cb) {\n                        cb(null, { fieldName: file.fieldname, originalName: file.originalname })\n                    },\n                    key: function (req, file, cb) {\n                        cb(null, `${generateId()}`)\n                    }\n                })\n            })\n            return upload\n        } else if (storageType === \u0027gcs\u0027) {\n            return multer({\n                storage: new MulterGoogleCloudStorage({\n                    projectId: process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID,\n                    bucket: process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME,\n                    keyFilename: process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL,\n                    uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,\n                    destination: `uploads/${generateId()}`\n                })\n            })\n        } else {\n            return multer({ dest: getUploadPath() })\n        }\n    }\n    ```\n    \n- Transfers uploaded files to storage without verification\n    \n    https://github.com/FlowiseAI/Flowise/blob/d17c4394a238b49327b493c89feee45f3a20bb91/packages/server/src/utils/createAttachment.ts#L124-L158\n    \n    ```tsx\n        const files = (req.files as Express.Multer.File[]) || []\n        const fileAttachments = []\n        if (files.length) {\n            const isBase64 = req.body.base64\n            for (const file of files) {\n                if (!allowedFileTypes.length) {\n                    throw new InternalFlowiseError(\n                        StatusCodes.BAD_REQUEST,\n                        `File type \u0027${file.mimetype}\u0027 is not allowed. Allowed types: ${allowedFileTypes.join(\u0027, \u0027)}`\n                    )\n                }\n    \n                // Validate file type against allowed types\n                if (allowedFileTypes.length \u003e 0 \u0026\u0026 !allowedFileTypes.includes(file.mimetype)) {\n                    throw new InternalFlowiseError(\n                        StatusCodes.BAD_REQUEST,\n                        `File type \u0027${file.mimetype}\u0027 is not allowed. Allowed types: ${allowedFileTypes.join(\u0027, \u0027)}`\n                    )\n                }\n    \n                await checkStorage(orgId, subscriptionId, appServer.usageCacheManager)\n    \n                const fileBuffer = await getFileFromUpload(file.path ?? file.key)\n                const fileNames: string[] = []\n                // Address file name with special characters: https://github.com/expressjs/multer/issues/1104\n                file.originalname = Buffer.from(file.originalname, \u0027latin1\u0027).toString(\u0027utf8\u0027)\n                const { path: storagePath, totalSize } = await addArrayFilesToStorage(\n                    file.mimetype,\n                    fileBuffer,\n                    file.originalname,\n                    fileNames,\n                    orgId,\n                    chatflowid,\n                    chatId\n                )\n    ```\n    \n\n### PoC\n\n---\n\n**PoC Description**\n \n- Create a local file named `shell.js` containing arbitrary JavaScript code (or a malicious payload).\n- Send a `multipart/form-data` request to the `/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/:chatId` endpoint without any authentication (login, session, or API keys).\n- During the upload, retain the filename as `shell.js` but spoof the `Content-Type` header as `application/pdf`.\n- This exploits the server\u0027s reliance solely on the client-provided `file.mimetype`, forcing it to process the malicious JS file as an allowed PDF, thereby confirming unauthenticated arbitrary file upload.\n\n**PoC**\n\n\n```bash\ncurl -X POST \\\n  \"http://localhost:3000/api/v1/attachments/891f64a2-a26f-4169-b333-905dc96c200a/$(uuidgen)\" \\\n  -F \"files=@shell.js;type=application/pdf\"\n```\n\n\u003cimg width=\"1916\" height=\"1011\" alt=\"image\" src=\"https://github.com/user-attachments/assets/45679d95-00b9-4bee-9c94-7bd9403554d5\" /\u003e\n\n\n### Impact\n\n---\n\n**1. Root Cause**\nThe vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., `.js`, `.php`) or malicious scripts (`.html`) by masquerading them as benign images or documents.\n\n**2. Key Attack Scenarios**\n\n- **Server Compromise (RCE):** An attacker uploads a **Web Shell** and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized access to internal data and full control over the server.\n- **Client-Side Attack (Stored XSS):** An attacker uploads files containing malicious scripts (e.g., HTML, SVG). When a victim views the file, the script executes within their browser, leading to session cookie theft and account takeover.\n\n**3. Impact**\nThis vulnerability is rated as **High** severity. The risk is particularly critical if the system utilizes shared storage (e.g., S3, GCS) or static hosting features, as the compromise could spread to the entire infrastructure and affect other tenants.",
  "id": "GHSA-j8g8-j7fc-43v6",
  "modified": "2026-03-09T13:15:25Z",
  "published": "2026-03-06T18:49:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30821"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise has Arbitrary File Upload via MIME Spoofing"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.