### Critical Vulnerability Information #### Vulnerability Overview - **Type**: File Upload Vulnerability - **Affected Version**: 3.0.7 - **CVE ID**: CVE-2023-45678 (assumed value; actual value should be verified in detailed information) - **Severity**: High #### Vulnerability Details - **Description**: Flowise contains a file upload vulnerability that allows authenticated users to upload arbitrary files without proper validation. This enables attackers to persistently store malicious scripts and files on the server, potentially leading to Remote Code Execution (RCE). - **Affected Components**: HTTP API, file upload handling logic #### Taint Flow Analysis 1. **Taint Source**: File registration (`FileUploadService.registerFile`) 2. **Taint Propagation**: Update file settings (`FileUploadService.updateFileSettings`) 3. **Controller Call**: Decode file and delegate to service (`FileController.decodeFileAndDelegateToService`) 4. **Service Layer Processing**: Process file and return result to controller (`FileService.processFileAndReturnResultToController`) 5. **Directory Creation**: Create directory and write file based on filename (`FileService.createDirectoryAndWriteFile`) 6. **Filename Filtering**: Filter illegal characters in filename, but does not validate file content (`FileService.filterFileName`) #### PoC (Proof of Concept) - **Shell.js (Twelve.js Web Shell)**: Provides a simple web shell example to demonstrate exploitation of the vulnerability. - **curl Upload Script**: Uses curl command to upload a file containing malicious JavaScript code. #### Impact - Attackers can persistently upload and store malicious code on the server, leading to Remote Code Execution (RCE). If other middleware is unaware of or fails to trigger the shell, or if additional middleware is chained to execute the file, this poses a high security threat to system integrity and confidentiality.