GHSA-h42x-xx2q-6v6g: 
JavaScript vulnerability analysis and mitigation

A critical vulnerability (GHSA-h42x-xx2q-6v6g) was discovered in Flowise versions <= 2.2.4, allowing unauthorized attackers to leverage the whitelisted route /api/v1/attachments to upload arbitrary files when the storageType is set to local (default). The vulnerability was published and reviewed on March 13, 2025 (GitHub Advisory).

The vulnerability stems from insufficient validation of chatflowId and chatId parameters in the /api/v1/attachments route. The route is whitelisted and bypasses authentication checks. When processing file uploads, the system joins these unvalidated parameters with the storage path, enabling path traversal attacks. The vulnerability has a CVSS v4 score of 9.3 (Critical) with metrics indicating Network attack vector, Low complexity, and No privileges required (GitHub Advisory).

The vulnerability's exploitation could lead to several severe consequences including Remote Code Execution, Server Takeover, and Data Theft. An attacker can manipulate the file storage path to overwrite critical system files, such as api.json which contains system API keys (GitHub Advisory).

A fix has been implemented in commit c2b830f that includes additional validation for chatflowId and chatId parameters, ensuring they are valid UUIDs and checking for path traversal attempts. The patch also adds validation to verify that the chatflow exists before processing the file upload (Flowise Commit).