GHSA-H42X-XX2Q-6V6G

GHSA-H42X-XX2Q-6V6G is a critical-severity unrestricted upload of dangerous file types vulnerability in flowise (npm), affecting versions <= 2.2.7. No fixed version is listed yet.

Summary

An unauthorized attacker can leverage the whitelisted route /api/v1/attachments to upload arbitrary files when the storageType is set to local (default).

Details

When a new request arrives, the system first checks if the URL starts with /api/v1/. If it does, the system then verifies whether the URL is included in the whitelist (whitelistURLs). If the URL is whitelisted, the request proceeds; otherwise, the system enforces authentication.

@ /packages/server/src/index.ts

           this.app.use(async (req, res, next) => {
                // Step 1: Check if the req path contains /api/v1 regardless of case
                if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {
                    // Step 2: Check if the req path is case sensitive
                    if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {
                        // Step 3: Check if the req path is in the whitelist
                        const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))
                        if (isWhitelisted) {
                            next()
                        } else if (req.headers['x-request-from'] === 'internal') {
                            basicAuthMiddleware(req, res, next)
                        } else {
                            const isKeyValidated = await validateAPIKey(req)
                            if (!isKeyValidated) {
                                return res.status(401).json({ error: 'Unauthorized Access' })
                            }
                            next()
                        }
                    } else {
                        return res.status(401).json({ error: 'Unauthorized Access' })
                    }
                } else {
                    // If the req path does not contain /api/v1, then allow the request to pass through, example: /assets, /canvas
                    next()
                }
            }

The whitelist is defined as follows

export const WHITELIST_URLS = [
    '/api/v1/verify/apikey/',
    '/api/v1/chatflows/apikey/',
    '/api/v1/public-chatflows',
    '/api/v1/public-chatbotConfig',
    '/api/v1/prediction/',
    '/api/v1/vector/upsert/',
    '/api/v1/node-icon/',
    '/api/v1/components-credentials-icon/',
    '/api/v1/chatflows-streaming',
    '/api/v1/chatflows-uploads',
    '/api/v1/openai-assistants-file/download',
    '/api/v1/feedback',
    '/api/v1/leads',
    '/api/v1/get-upload-file',
    '/api/v1/ip',
    '/api/v1/ping',
    '/api/v1/version',
    '/api/v1/attachments',
    '/api/v1/metrics'
]

This means that every route in the whitelist does not require authentication. Now, let's examine the /api/v1/attachments route.

@ /packages/server/src/routes/attachments/index.ts

const router = express.Router()
// CREATE
router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment)
export default router

After several calls, the request reaches the createFileAttachment function @ (packages/server/src/utils/createAttachment.ts)
Initially, the function retrieves chatflowid and chatId from the request without any additional validation. The only check performed is whether these parameters exist in the request.

    const chatflowid = req.params.chatflowId
    if (!chatflowid) {
        throw new Error(
            'Params chatflowId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId'
        )
    }

    const chatId = req.params.chatId
    if (!chatId) {
        throw new Error(
            'Params chatId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId'
        )
    }

Next, the function retrieves the uploaded files and attempts to add them to the storage by calling the addArrayFilesToStorage function.

const files = (req.files as Express.Multer.File[]) || []
    const fileAttachments = []
    if (files.length) {
        // ...
        for (const file of files) {
            const fileBuffer = await getFileFromUpload(file.path ?? file.key)  // get the uploaded file
            const fileNames: string[] = []
            file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8')
            // add it to the storage
            const storagePath = await addArrayFilesToStorage(file.mimetype, 
                                                             fileBuffer,
                                                             file.originalname,
                                                             fileNames,
                                                             chatflowid, chatId) // add it to the storage

            // ...

            await removeSpecificFileFromUpload(file.path ?? file.key) // delete from tmp
           //  ...

                fileAttachments.push({
                    name: file.originalname,
                    mimeType: file.mimetype,
                    size: file.size,
                    content
                })
            } catch (error) {
                throw new Error(`Failed operation: createFileAttachment - ${getErrorMessage(error)}`)
            }
        }
    }

    return fileAttachments

Now lets take a look at addArrayFilesToStorage function @ (/packages/components/src/storageUtils.ts)

export const addArrayFilesToStorage = async (mime: string, bf: Buffer, fileName: string, fileNames: string[], ...paths: string[]) => {
    const storageType = getStorageType()

    const sanitizedFilename = _sanitizeFilename(fileName)
    if (storageType === 's3') {
      // ...
    } else {
        const dir = path.join(getStoragePath(), ...paths) // PATH TRAVERSAL.
        if (!fs.existsSync(dir)) {
            fs.mkdirSync(dir, { recursive: true })
        }
        const filePath = path.join(dir, sanitizedFilename)
        fs.writeFileSync(filePath, bf)
        fileNames.push(sanitizedFilename)
        return 'FILE-STORAGE::' + JSON.stringify(fileNames)
    }
}

As noted in the comment, to construct the directory, the function joins the output of the getStoragePath function with ...paths, which are essentially the chatflowid and chatId extracted earlier from the request.
However, as mentioned previously, these values are not validated to ensure they are UUIDs or numbers. As a result, an attacker could manipulate these variables to set the dir variable to any value.
Combined with the fact that the filename is also provided by the user, this leads to unauthenticated arbitrary file upload.

POC

This is the a HTTP request. As observed, we are not authenticated, and by manipulating the chatId parameter, we can perform a path traversal. In this example, we overwrite the api.json file, which contains the API keys for the system.

in this example, the dir variable will be

var dir = '/root/.flowise/storage/test/../../../../../../../../root/.flowise/'

and the file name is api.json

And the API Keys in the UI

Impact

This vulnerability could potentially lead to

  • Remote Code Execution
  • Server Takeover
  • Data Theft
    And more

The application accepts file uploads without adequately restricting the file type or content. Typical impact: remote code execution if the uploaded file can be served and executed on the server.

Affected versions

flowise (<= 2.2.7)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

No fixed version is listed for GHSA-H42X-XX2Q-6V6G yet.

In the interim: Validate file type by inspecting the content, not just the extension or MIME type declared by the client. Store uploads outside the web root.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-H42X-XX2Q-6V6G? GHSA-H42X-XX2Q-6V6G is a critical-severity unrestricted upload of dangerous file types vulnerability in flowise (npm), affecting versions <= 2.2.7. No fixed version is listed yet. The application accepts file uploads without adequately restricting the file type or content.
  2. Which versions of flowise are affected by GHSA-H42X-XX2Q-6V6G? flowise (npm) versions <= 2.2.7 is affected.
  3. Is there a fix for GHSA-H42X-XX2Q-6V6G? No fixed version is listed for GHSA-H42X-XX2Q-6V6G yet. Monitor the advisory for updates and apply mitigations in the interim.
  4. Is GHSA-H42X-XX2Q-6V6G exploitable, and should I be worried? Whether GHSA-H42X-XX2Q-6V6G is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-H42X-XX2Q-6V6G is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-H42X-XX2Q-6V6G? No fixed version is listed yet. In the interim: Validate file type by inspecting the content, not just the extension or MIME type declared by the client. Store uploads outside the web root.

Other vulnerabilities in flowise

CVE-2026-56268CVE-2026-46480CVE-2026-46479CVE-2026-46478CVE-2026-46477

Stop the waste.
Protect your environment with Kodem.