FlowiseAI File Upload Validation Bypass Leads to RCE

FlowiseAI, a low-code platform for building AI applications, contains a file upload validation bypass vulnerability. By modifying the Chatflow configuration, specifically the allowedUploadFileTypes setting, an attacker can add application/javascript as an accepted MIME type. This bypasses previous mitigations (CVE-2025-61687) intended to prevent the upload of potentially malicious files. Although the frontend UI restricts JavaScript uploads, a direct API request can circumvent this. Successful exploitation allows attackers to persistently store Node.js web shells (e.g., shell.js) on the Flowise server. This vulnerability affects FlowiseAI versions up to 3.0.13. If executed, these web shells could grant the attacker Remote Code Execution (RCE) capabilities on the server, posing a significant risk to system integrity and data confidentiality.

Attack Chain

1. The attacker identifies a vulnerable FlowiseAI instance running a version <= 3.0.13.
2. The attacker authenticates to the FlowiseAI instance as an administrator or with compromised credentials.
3. The attacker crafts a malicious HTTP PUT request to the /api/v1/chatflows/{CHATFLOW_ID} endpoint.
4. The PUT request modifies the Chatflow configuration, specifically the chatbotConfig to include application/javascript in the allowedUploadFileTypes.
5. The attacker crafts a malicious HTTP POST request to the /api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID} endpoint to upload a .js file (Node.js web shell), such as the shell.js example.
6. The server saves the malicious .js file to a publicly accessible directory.
7. The attacker accesses the uploaded .js file via a direct HTTP request.
8. The web shell executes commands specified in the URL parameters, such as http://localhost:8888/?cmd=id, resulting in RCE.

Impact

Successful exploitation of this vulnerability allows attackers to upload and persistently store malicious web shells on the FlowiseAI server. Execution of these web shells grants the attacker the ability to execute arbitrary commands on the underlying system. This can lead to complete system compromise, data exfiltration, and denial of service. This vulnerability affects FlowiseAI versions up to 3.0.13.

Recommendation

• Apply appropriate input validation and sanitization to prevent modification of allowedUploadFileTypes settings.
• Monitor network traffic for PUT requests to /api/v1/chatflows/{CHATFLOW_ID} modifying allowedUploadFileTypes as described in the attack chain.
• Monitor for POST requests to /api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID} uploading .js files based on the attack chain.
• Deploy the Sigma rules provided below to detect suspicious HTTP requests indicative of this attack.