CNNVD-202510-800 Information
CNNVD ID
CNNVD-202510-800
Related CVE
- CNNVD Published: 2025-10-06
Description (Chinese)
Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 3.0.7版本存在代码问题漏洞,该漏洞源于文件上传过程中未验证文件扩展名、MIME类型或文件内容,可能导致远程代码执行。
Description (English)
Flowise is an open-source tool for easy construction of LLM applications. Version Flowise 3.0.7 has a code problem loophole, which arises from the failure to verify file extensions, mimetypes or file contents during document upload, which may result in remote code execution.
Hazard Level
Medium
Vulnerability Type
代码问题
Affected Vendor
FlowiseAI
Published
2025-10-06
Last Modified
2026-02-24
References
https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4be8febc3d19d52263e8c3d0055/packages/components/src/storageUtils.ts#L1104-L1111 https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4be8febc3d19d52263e8c3d0055/packages/components/src/storageUtils.ts#L170-L175 https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4be8febc3d19d52263e8c3d0055/packages/components/src/storageUtils.ts#L533-L541 https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4be8febc3d19d52263e8c3d0055/packages/server/src/controllers/attachments/index.ts#L4-L11 https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4be8febc3d19d52263e8c3d0055/packages/server/src/routes/attachments/index.ts#L8 https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4be8febc3d19d52263e8c3d0055/packages/server/src/services/attachments/index.ts#L7-L16 https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4be8febc3d19d52263e8c3d0055/packages/server/src/utils/createAttachment.ts#L118-L126 https://github.com/FlowiseAI/Flowise/blob/d29db16bfcf9a4be8febc3d19d52263e8c3d0055/packages/server/src/utils/index.ts#L1950-L1954 https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-35g6-rrw3-v6xc
Patch
https://github.com/FlowiseAI/Flowise/releases
Share on: