AI Sec Watch

Flowise's GraphCypherQAChain node has a cypher injection vulnerability (CWE-943, where attackers inject malicious database commands into user input without sanitization). An attacker with access to a vulnerable chatflow can execute arbitrary Cypher commands on the connected Neo4j database (a graph database), allowing them to read, modify, or delete data.

Flowise's password reset feature sends reset links over HTTP (an unencrypted protocol) instead of HTTPS (encrypted protocol), allowing attackers on the same network (like public Wi-Fi) to intercept the link through a man-in-the-middle attack (where someone secretly reads data between two parties) and take over user accounts.

Flowise has a security flaw where unauthenticated users can obtain OAuth 2.0 access tokens (credentials that grant access to third-party services like Gmail) from public chatflows. An attacker can first retrieve internal workflow data including credential identifiers from a public endpoint, then use those identifiers to refresh OAuth tokens without any authentication checks, potentially gaining unauthorized access to connected services.

FlowiseAI versions 2.2.1 and earlier contain a Server-Side Request Forgery (SSRF) vulnerability, where an attacker can inject malicious prompt templates into the API Chain components to trick the system into making HTTP requests to internal or external services it shouldn't access. Since the system trusts the LLM (language model) to generate URLs based on API documentation without validating them, attackers can provide fake documentation pointing to sensitive internal services, potentially exposing internal networks and data.

Flowise contains security flaws in its SSRF (server-side request forgery, where an attacker tricks a server into making requests to internal systems) protection code. Two main issues exist: by default, the deny list is not enforced if an environment variable is not set, allowing requests to localhost, and attackers can use DNS rebinding (TOCTOU, time-of-check time-of-use, where a domain's IP address changes between when the server checks it and when it connects) to bypass IP validation checks.

Flowise has a security flaw in its Custom Function feature where SSRF (Server-Side Request Forgery, a type of attack where a server is tricked into making unwanted network requests) protection only covers two libraries (axios and node-fetch) but leaves built-in Node.js modules like http, https, and net unprotected. This allows authenticated users to bypass the security controls and access internal network resources, such as cloud provider metadata services that contain sensitive credentials.

FlowiseAI has a file upload validation bypass vulnerability in its Chatflow configuration where attackers can modify settings to allow the application/javascript MIME type (a file format label), enabling them to upload malicious .js (JavaScript) files even though the interface normally blocks them. These uploaded files can become persistent web shells (programs that let attackers run commands on the server), potentially leading to RCE (remote code execution, where an attacker can run arbitrary commands on the system).

Flowise has a critical unauthenticated remote command execution (RCE) vulnerability that allows attackers to run arbitrary system commands with root privileges. The flaw exists in a validation check that uses `.includes()` instead of `.startsWith()` to filter the `FILE-STORAGE::` keyword, which an attacker can bypass by embedding it anywhere in a string (like in a comment). When bypassed, this allows the attacker to inject malicious values into the `mcpServerConfig` parameter and use `NODE_OPTIONS` environment variable injection to execute arbitrary code, but only if the chatflow has API Override enabled, is publicly shared, and contains a Custom MCP tool node.

A Flowise endpoint called /api/v1/public-chatbotConfig/:id exposes sensitive information like API keys and authentication headers without requiring a password or login. An attacker who knows only a chatflow UUID (a unique identifier for a workflow) can retrieve stored credentials and internal URLs by sending a simple web request to this endpoint.