CVE Catalog

CVE-2025-71324

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

26th percentile — higher than 26% of all known CVEs

Summary

Flowise before version 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated and is passed to streamStorageFile(), where a fallback file-lookup path constructed without the orgId is evaluated after the storage-directory containment check, allowing path traversal beyond the intended storage directory. Unauthenticated attackers can read sensitive files such as /root/.flowise/database.sqlite, exposing all database content in the default configuration.

Risk Assessment

The risk for the organization is critical because an unauthenticated attacker can access sensitive data stored in the Flowise database, potentially including passwords, tokens, and other secrets, which could lead to full system compromise.

Recommendation

Immediately upgrade Flowise to version 3.0.6 or later, which includes a fix for this vulnerability. Additionally, restrict access to the API endpoints using a firewall or authentication.

Original NVD description (English source)

Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated and is passed to streamStorageFile(), where a fallback file-lookup path constructed without the orgId is evaluated after the storage-directory containment check, allowing path traversal beyond the intended storage directory. Unauthenticated attackers can read sensitive files such as /root/.flowise/database.sqlite, exposing all database content in the default configuration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS