FlowiseAI's Flowise is a drag-and-drop interface for building customized large language model flows. Versions prior to 3.0.13 expose an unauthenticated file upload API endpoint (/api/v1/attachments/:chatflowId/:chatId) listed in a whitelist, allowing any user to upload files without authentication. The server attempts to restrict uploads by validating MIME types against a configured whitelist (chatbotConfig.fullFileUpload.allowedUploadFileTypes). However, it relies solely on the client-provided Content-Type header (file.mimetype) without verifying the actual file content via magic bytes or validating the file extension (file.originalname). This trust in client-supplied metadata enables attackers to spoof allowed MIME types (e.g., application/pdf) and upload arbitrary malicious files, including scripts. Uploaded files are stored persistently in backend storage systems such as Amazon S3, Google Cloud Storage, or local disk. When combined with other Flowise features like static hosting or file retrieval, these malicious uploads can lead to Stored Cross-Site Scripting (XSS), hosting of malicious files, or even Remote Code Execution (RCE). The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). It has a CVSS 4.0 base score of 8.2 (high severity), reflecting network attack vector, high impact on integrity, and no user interaction required. The issue was patched in version 3.0.13, which presumably adds proper file content validation and/or authentication controls to the upload endpoint.

This vulnerability poses significant risks to organizations deploying vulnerable versions of Flowise. Attackers can upload malicious files that may execute arbitrary code on the server or client side, leading to full system compromise or data breaches. Stored XSS attacks can compromise user sessions and steal sensitive information. Malicious file hosting can facilitate distribution of malware or phishing content. The unauthenticated nature of the upload endpoint increases the attack surface, allowing remote attackers to exploit the flaw without credentials or user interaction. Organizations relying on Flowise for AI workflows risk disruption, data loss, reputational damage, and regulatory penalties if exploited. The persistence of malicious files in backend storage further complicates detection and remediation. Given Flowise’s role in AI model orchestration, compromise could also affect AI integrity and confidentiality.

Organizations should immediately upgrade Flowise to version 3.0.13 or later where this vulnerability is patched. Until upgrade, restrict network access to the /api/v1/attachments/:chatflowId/:chatId endpoint to trusted users only, ideally behind authentication and authorization controls. Implement server-side validation of uploaded files by verifying magic bytes and file extensions against allowed types rather than relying on client-supplied MIME types. Employ content scanning tools to detect malicious payloads in uploaded files. Monitor backend storage for unexpected or suspicious files and remove them promptly. Use Web Application Firewalls (WAFs) to detect and block suspicious upload attempts. Conduct regular security audits and penetration tests focusing on file upload functionalities. Educate developers and administrators about secure file handling practices and the risks of trusting client metadata.