FlowiseAI 漏洞列表

在 Flowise 应用程序中存在ssrf漏洞，允许攻击者使用 Flowise 服务器作为代理来访问内部网络 Web 服务并探索其链接结构

FlowiseAI 是一款开源的低代码/无代码工具，用于快速构建基于大语言模型（LLM）的应用程序。该漏洞存在于 Flowise 的 /арi/v1/аttасhmеntѕ 中，允许未经身份验证的攻击者通过“知识上传”功能将任意文件上传到托管代理的服务器，此缺陷可能使攻击者能够通过上传恶意文件、脚本、配置文件甚至 SSH 密钥来远程控制整个服务器。 fofa：app="FlowiseAI"

FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerability allows an unauthenticated attacker to upload files outside the intended directory through path traversal, potentially leading to API key exposure and remote code execution. The vulnerability can be exploited by uploading a malicious file to overwrite the .flowise/api.json configuration file.