From f4281457dfd1a6098d82df5a0c8316ff7c21ed9c Mon Sep 17 00:00:00 2001
From: Henry <hzj94@hotmail.com>
Date: Thu, 6 Nov 2025 11:14:05 +0000
Subject: [PATCH 1/2] path traversal check on chatId

---
 packages/server/src/utils/createAttachment.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/server/src/utils/createAttachment.ts b/packages/server/src/utils/createAttachment.ts
index 022a3f82ce4..9e9228f1522 100644
--- a/packages/server/src/utils/createAttachment.ts
+++ b/packages/server/src/utils/createAttachment.ts
@@ -27,15 +27,15 @@ export const createFileAttachment = async (req: Request) => {
     const appServer = getRunningExpressApp()
 
     const chatflowid = req.params.chatflowId
+    const chatId = req.params.chatId
+
     if (!chatflowid || !isValidUUID(chatflowid)) {
         throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid chatflowId format - must be a valid UUID')
     }
-    if (isPathTraversal(chatflowid)) {
+    if (isPathTraversal(chatflowid) || isPathTraversal(chatId)) {
         throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid path characters detected')
     }
 
-    const chatId = req.params.chatId
-
     // Validate chatflow exists and check API key
     const chatflow = await appServer.AppDataSource.getRepository(ChatFlow).findOneBy({
         id: chatflowid

From 0ad98a0c29e045e66187efde068c0746701f2188 Mon Sep 17 00:00:00 2001
From: Henry Heng <henryheng@flowiseai.com>
Date: Thu, 6 Nov 2025 14:28:14 +0000
Subject: [PATCH 2/2] Update packages/server/src/utils/createAttachment.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
---
 packages/server/src/utils/createAttachment.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/server/src/utils/createAttachment.ts b/packages/server/src/utils/createAttachment.ts
index 9e9228f1522..10495140dad 100644
--- a/packages/server/src/utils/createAttachment.ts
+++ b/packages/server/src/utils/createAttachment.ts
@@ -32,7 +32,7 @@ export const createFileAttachment = async (req: Request) => {
     if (!chatflowid || !isValidUUID(chatflowid)) {
         throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid chatflowId format - must be a valid UUID')
     }
-    if (isPathTraversal(chatflowid) || isPathTraversal(chatId)) {
+    if (isPathTraversal(chatflowid) || (chatId && isPathTraversal(chatId))) {
         throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid path characters detected')
     }