CVE-2025-71324— Flowise - Arbitrary File Read via chatId Parameter
Possible ATT&CK Techniques 1AI
T1552.004 · Private KeysGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-71324
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Flowise - Arbitrary File Read via chatId Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated and is passed to streamStorageFile(), where a fallback file-lookup path constructed without the orgId is evaluated after the storage-directory containment check, allowing path traversal beyond the intended storage directory. Unauthenticated attackers can read sensitive files such as /root/.flowise/database.sqlite, exposing all database content in the default configuration.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
文件名或路径的外部可控制
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-71324
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-71324
请登录查看更多情报信息。
Vendor Advisories for CVE-2025-71324 (1)
- 🔗 Flowise - Arbitrary File Read via chatId Parameter | Advisories | VulnCheckthird-party-advisory
Other References for CVE-2025-71324 (1)
Same Patch Batch · Flowise · 2026-06-25 · 8 CVEs total
| CVE-2025-71338 | 10.0 CRITICAL | Flowise - Arbitrary File Write to Remote Code Execution via document-store API |
| CVE-2025-71336 | 9.8 CRITICAL | Flowise - Unsandboxed Remote Code Execution via Custom MCP |
| CVE-2025-71334 | 9.8 CRITICAL | Flowise - Arbitrary File Access via Missing Chat Flow ID Validation |
| CVE-2025-71327 | 9.1 CRITICAL | Flowise - Authentication Bypass via Unprotected Registration Endpoint |
| CVE-2025-71328 | 8.3 HIGH | Flowise - Unverified Password Change via Account Settings |
| CVE-2025-71335 | 8.1 HIGH | Flowise - Session Invalidation Failure After Password Change |
| CVE-2025-71333 | Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint |
IV. Related Vulnerabilities
Same product: Flowise
- CVE-2025-71338
Flowise - Arbitrary File Write to Remote Code Execution via - CVE-2025-71336
Flowise - Unsandboxed Remote Code Execution via Custom MCP - CVE-2025-71334
Flowise - Arbitrary File Access via Missing Chat Flow ID Val - CVE-2025-71335
Flowise - Session Invalidation Failure After Password Change - CVE-2025-71333
Flowise - Arbitrary File Upload via Unauthenticated /api/v1/
Same vendor: Flowise
- CVE-2025-71336
Flowise - Unsandboxed Remote Code Execution via Custom MCP - CVE-2025-71338
Flowise - Arbitrary File Write to Remote Code Execution via - CVE-2025-71334
Flowise - Arbitrary File Access via Missing Chat Flow ID Val - CVE-2025-71335
Flowise - Session Invalidation Failure After Password Change - CVE-2025-71333
Flowise - Arbitrary File Upload via Unauthenticated /api/v1/
Same weakness: CWE-73
- CVE-2026-47214
Docling: Unsafe URI and Path Handling in HTML Backend - CVE-2025-71338
Flowise - Arbitrary File Write to Remote Code Execution via - CVE-2025-71334
Flowise - Arbitrary File Access via Missing Chat Flow ID Val - CVE-2025-71333
Flowise - Arbitrary File Upload via Unauthenticated /api/v1/ - CVE-2026-55477
Authenticated Arbitrary File Write via Database Import and X
V. Comments for CVE-2025-71324
No comments yet