Cyber Resilience

CVE-2024-36420

HighPublic PoC

Published: 01 July 2024

Published
01 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.5832 98.2th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36420 is a high-severity Injection (CWE-74) vulnerability in Flowiseai Flowise. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Obtain Capabilities (AML.T0016), Exfiltration via AI Inference API (AML.T0024).

Deeper analysis

Flowise version 1.4.3, a drag-and-drop interface for constructing customized large language model flows, is affected by an arbitrary file read vulnerability in the /api/v1/openai-assistants-file endpoint. The flaw resides in packages/server/src/index.ts and stems from missing sanitization of the fileName body parameter, corresponding to CWE-74 and carrying a CVSS 3.1 score of 7.5 for unauthenticated network access that impacts confidentiality.

Remote attackers without credentials can submit crafted POST requests to the endpoint and retrieve arbitrary files from the underlying server filesystem, exposing sensitive configuration or data. The attack requires no user interaction and can be performed directly over the network.

Public references, including the GitHub Security Lab advisory GHSL-2023-232 and the affected source lines, document the injection vector, while the vulnerability record states that no patches are available. The associated EPSS score of 0.5832 reflects sustained exploitation interest for this LLM-related component.

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName`…

more

body parameter. No known patches for this issue are available.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Flowise is a drag-and-drop user interface for building customized large language model (LLM) flows, specifically integrating with OpenAI Assistants (e.g., /api/v1/openai-assistants-file endpoint), fitting the Enterprise AI Assistants category as a platform for developing and deploying LLM-based assistants.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path injection in CVE-2024-36420 enables arbitrary file reads from the local system (T1005) through exploitation of a public-facing web application API endpoint (T1190).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0016: Obtain CapabilitiesAML.T0024: Exfiltration via AI Inference API

Affected Assets

flowiseai
flowise
1.4.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References