GHSA-8vvx-qvq9-5948: 
JavaScript vulnerability analysis and mitigation

A critical security vulnerability was discovered in Flowise affecting versions up to 2.2.7, identified as GHSA-8vvx-qvq9-5948. The vulnerability allows attackers to write files with arbitrary content to the filesystem via the /api/v1/document-store/loader/process API endpoint, potentially leading to Remote Code Execution (RCE). The issue was published and reviewed on March 14, 2025, with a CVSS score of 10.0 (Critical) (GitHub Advisory).

The vulnerability exists in multiple file writing functions within packages/components/src/storageUtils.ts, specifically in addBase64FilesToStorage, addArrayFilesToStorage, and addSingleFileToStorage. The core issue stems from the fileName parameter, an untrusted external input, being used directly in path.join() without proper verification. This allows attackers to traverse directories using '../' and write files to arbitrary paths. The vulnerability received a CVSS:3.1 score of 10.0 with vector string AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating network attack vector, low complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability enables Remote Code Execution (RCE) through arbitrary file writing capabilities. Attackers can obtain full server shell privileges by opening a reverse shell. In the proof of concept, attackers could overwrite package.json to execute arbitrary commands when the server starts, demonstrating the severity of the impact (GitHub Advisory).

A fix has been implemented that includes path traversal detection and UUID validation for chatflowId and chatId parameters. The patch adds input validation through the isPathTraversal and isValidUUID functions to prevent directory traversal attacks (Flowise Commit).