AI Sec Watch

Flowise, a tool for building custom AI workflows through a visual interface, had a vulnerability in versions before 3.1.0 where authenticated users could bypass SSRF protection (a security control that prevents the application from making requests to internal networks). The issue occurred because the Custom Function feature blocked some ways of making network requests but left others unprotected, allowing attackers to potentially access sensitive internal resources like cloud provider metadata services.

Flowise, a tool with a drag-and-drop interface for building customized AI workflows, had a vulnerability before version 3.1.0 where attackers could upload malicious JavaScript files by changing file type settings, even though the user interface normally blocks such uploads. These uploaded files could act as web shells (programs that give attackers control over the server), potentially allowing remote code execution (RCE, where an attacker runs commands on a system they don't own).

Flowise, a tool that lets users visually design custom AI workflows, has a critical vulnerability in versions before 3.1.0 that allows attackers to run any system commands they want without logging in. An attacker can exploit this by using a special keyword (FILE-STORAGE::) and injecting code into an environment variable (NODE_OPTIONS) through a single web request, gaining full control of the Flowise system.

Flowise, a tool for building customized AI workflows through a drag-and-drop interface, had a security flaw in versions before 3.1.0 where attackers could inject malicious data during account registration. This JSON injection (inserting unauthorized code into data fields) vulnerability allowed unauthenticated users to manipulate important metadata like ownership and user roles, potentially breaking security boundaries in systems that host multiple separate organizations.

Flowise, a tool for building customized LLM (large language model) flows through a visual drag-and-drop interface, has a vulnerability in versions before 3.1.0 where an API endpoint exposes sensitive data like API keys and authorization headers without requiring authentication. An attacker who knows only a chatflow UUID (a unique identifier) can steal credentials and other sensitive information from the system.

Flowise is a tool with a visual interface for building customized AI workflows. Before version 3.1.0, the Airtable_Agents component had a security flaw where it ran Python code generated by an AI without proper sandboxing (isolation to prevent unauthorized access). An attacker could use prompt injection (tricking the AI by hiding instructions in user input) to make the AI generate malicious code that runs on the Flowise server.

Flowise is a tool with a drag-and-drop interface for building customized large language model flows. Before version 3.1.0, it had a remote code execution vulnerability (RCE, where an attacker can run commands on a system they don't own) in AirtableAgent.ts because user input was directly inserted into Python code without sanitization (cleaning to remove harmful content), allowing attackers to inject malicious code through the question parameter.

Flowise is a drag-and-drop interface for building customized large language model workflows. Versions before 3.1.0 have a command injection vulnerability (code injection, where attackers can execute arbitrary commands) in the CSVAgent feature because it fails to properly filter user-provided Pandas CSV reading code, allowing attackers to run malicious commands on the server.

GPT-5.5 is a new AI model from OpenAI that is now available through Codex (a code-focused AI tool) and ChatGPT subscriptions, though the standard API is not yet available. The author created a tool called llm-openai-via-codex that lets users access GPT-5.5 through their existing Codex subscription by reverse-engineering how authentication tokens work, rather than waiting for the official API release.