Threat Intelligence Database

Flowise versions before 3.1.0 contain a server-side request forgery (SSRF) vulnerability in the Execute Flow node. This flaw allows attackers to bypass security validation by submitting intranet addresses via the base URL field, enabling unauthorized HTTP requests to internal network resources. The vulnerability arises from missing secureFetch verification in the httpSecurity.ts component.

Flowise versions before 3.0.6 have an arbitrary file read vulnerability in the chatId parameter of two API endpoints. The chatId parameter is not properly validated, allowing path traversal beyond the intended storage directory. This enables unauthenticated attackers to read sensitive files such as the default database file, exposing all database content.

Flowise versions before 3.0.10 have a vulnerability where authenticated users can change their account password without providing the current password or any additional verification. This lack of a current-password check in the account settings (Security) section allows potential full account takeover if an attacker gains access to an authenticated session.

Flowise versions through 2.2.4 have an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. This vulnerability allows attackers to exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories. Successful exploitation could lead to remote code execution and server compromise.

Flowise versions 3.0.7 and earlier do not invalidate existing sessions or session tokens after a user changes their password. This allows an attacker with an active session, such as one obtained via a stolen token or a device left logged in, to remain authenticated despite the password change. This behavior undermines the security intent of password rotation by allowing continued unauthorized access.

Flowise versions 2.2.7-patch.1 and earlier contain a critical unsandboxed remote code execution vulnerability in the Custom MCP feature. This feature executes OS commands to launch local MCP servers. Due to minimal authentication and lack of role-based access control, and default installations running without authentication unless credentials are set, an attacker can send a crafted JSON payload with a specific header to execute arbitrary OS commands. This leads to complete compromise of the platform container or server.

Flowise versions 2.2.8 and earlier contain an arbitrary file access vulnerability due to missing validation of chatflowId and chatId parameters. An unauthenticated attacker can exploit this by supplying path-traversal values to write and read arbitrary files via specific API endpoints. This arbitrary file write capability may lead to remote code execution.

Flowise ist eine Benutzeroberfläche zur Erstellung von LLMs (Large Language Model).

A vulnerability was determined in FlowiseAI Flowise up to 3.1.2. The impacted element is an unknown function of the file packages/components/nodes/documentloaders/S3/S3.ts of the component S3 Document Loader. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.