{"id":"CVE-2024-36420","summary":"GHSL-2023-232: Flowise Path Injection at /api/v1/openai-assistants-file","details":"Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available.","aliases":["GHSA-h997-3fxj-p5j8"],"modified":"2026-04-19T04:12:12.634353Z","published":"2024-07-01T15:53:14.900Z","database_specific":{"cwe_ids":["CWE-74"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36420.json"},"references":[{"type":"WEB","url":"https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36420.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36420"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/flowiseai/flowise","events":[{"introduced":"0"},{"last_affected":"19e9c67d12190e80869a6ca338fb2082430614fd"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.4.3"}]}}],"versions":["flowise-components@1.0.0","flowise-components@1.1.0","flowise-components@1.1.1","flowise-components@1.2.1","flowise-components@1.2.10","flowise-components@1.2.12","flowise-components@1.2.14","flowise-components@1.2.15","flowise-components@1.2.16","flowise-components@1.2.17","flowise-components@1.2.2","flowise-components@1.2.3","flowise-components@1.2.4","flowise-components@1.2.5","flowise-components@1.2.6","flowise-components@1.2.7","flowise-components@1.2.8","flowise-components@1.2.9","flowise-components@1.3.0","flowise-components@1.3.1","flowise-components@1.3.10","flowise-components@1.3.11","flowise-components@1.3.2","flowise-components@1.3.3","flowise-components@1.3.4","flowise-components@1.3.5","flowise-components@1.3.7","flowise-components@1.3.8","flowise-components@1.3.9","flowise-components@1.4.0","flowise-components@1.4.1","flowise-components@1.4.2","flowise-components@1.4.3","flowise-ui@1.0.0","flowise-ui@1.1.0","flowise-ui@1.2.0","flowise-ui@1.2.1","flowise-ui@1.2.10","flowise-ui@1.2.12","flowise-ui@1.2.13","flowise-ui@1.2.14","flowise-ui@1.2.15","flowise-ui@1.2.2","flowise-ui@1.2.3","flowise-ui@1.2.4","flowise-ui@1.2.5","flowise-ui@1.2.6","flowise-ui@1.2.7","flowise-ui@1.3.0","flowise-ui@1.3.1","flowise-ui@1.3.2","flowise-ui@1.3.3","flowise-ui@1.3.4","flowise-ui@1.3.5","flowise-ui@1.3.6","flowise-ui@1.3.7","flowise-ui@1.4.0","flowise-ui@1.4.1","flowise@1.0.0","flowise@1.0.1","flowise@1.1.0","flowise@1.1.1","flowise@1.2.1","flowise@1.2.11","flowise@1.2.13","flowise@1.2.14","flowise@1.2.15","flowise@1.2.16","flowise@1.2.2","flowise@1.2.3","flowise@1.2.4","flowise@1.2.5","flowise@1.2.6","flowise@1.2.7","flowise@1.2.8","flowise@1.2.9","flowise@1.3.0","flowise@1.3.1","flowise@1.3.2","flowise@1.3.3","flowise@1.3.4","flowise@1.3.5","flowise@1.3.6","flowise@1.3.7","flowise@1.3.8","flowise@1.3.9","flowise@1.4.0","flowise@1.4.1","flowise@1.4.2","flowise@1.4.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36420.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}