AI & LLM Vulnerabilities

FlowiseAI versions 2.2.1 and earlier contain a Server-Side Request Forgery (SSRF) vulnerability, where an attacker can inject malicious prompt templates into the API Chain components to trick the system into making HTTP requests to internal or external services it shouldn't access. Since the system trusts the LLM (language model) to generate URLs based on API documentation without validating them, attackers can provide fake documentation pointing to sensitive internal services, potentially exposing internal networks and data.

Flowise contains security flaws in its SSRF (server-side request forgery, where an attacker tricks a server into making requests to internal systems) protection code. Two main issues exist: by default, the deny list is not enforced if an environment variable is not set, allowing requests to localhost, and attackers can use DNS rebinding (TOCTOU, time-of-check time-of-use, where a domain's IP address changes between when the server checks it and when it connects) to bypass IP validation checks.

Flowise has a security flaw in its Custom Function feature where SSRF (Server-Side Request Forgery, a type of attack where a server is tricked into making unwanted network requests) protection only covers two libraries (axios and node-fetch) but leaves built-in Node.js modules like http, https, and net unprotected. This allows authenticated users to bypass the security controls and access internal network resources, such as cloud provider metadata services that contain sensitive credentials.

FlowiseAI has a file upload validation bypass vulnerability in its Chatflow configuration where attackers can modify settings to allow the application/javascript MIME type (a file format label), enabling them to upload malicious .js (JavaScript) files even though the interface normally blocks them. These uploaded files can become persistent web shells (programs that let attackers run commands on the server), potentially leading to RCE (remote code execution, where an attacker can run arbitrary commands on the system).

Flowise has a critical unauthenticated remote command execution (RCE) vulnerability that allows attackers to run arbitrary system commands with root privileges. The flaw exists in a validation check that uses `.includes()` instead of `.startsWith()` to filter the `FILE-STORAGE::` keyword, which an attacker can bypass by embedding it anywhere in a string (like in a comment). When bypassed, this allows the attacker to inject malicious values into the `mcpServerConfig` parameter and use `NODE_OPTIONS` environment variable injection to execute arbitrary code, but only if the chatflow has API Override enabled, is publicly shared, and contains a Custom MCP tool node.

A Flowise endpoint called /api/v1/public-chatbotConfig/:id exposes sensitive information like API keys and authentication headers without requiring a password or login. An attacker who knows only a chatflow UUID (a unique identifier for a workflow) can retrieve stored credentials and internal URLs by sending a simple web request to this endpoint.

Flowise Cloud has a mass assignment vulnerability (JSON injection, where attackers can hide malicious data in JSON input) in its account registration endpoint that allows unauthenticated attackers to inject server-managed fields like organization IDs and role assignments during account creation. This breaks trust boundaries in the multi-tenant environment (a system serving multiple separate organizations) by letting attackers associate their new accounts with existing organizations they don't own, gaining unauthorized access and escalated privileges.

Flowise's AirtableAgent has a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability because user input is inserted directly into Python code without sanitization. An attacker can use prompt injection (tricking an AI by hiding instructions in its input) to bypass the intended behavior and execute arbitrary code when the system processes Pandas (a Python library for working with data) operations.

mcp-server-kubernetes versions 3.4.0 and earlier have an argument injection vulnerability (a type of attack where an attacker sneaks extra commands into a tool by exploiting how input is processed) in the port_forward tool. The vulnerability exists because the code builds a kubectl command (a tool for managing Kubernetes clusters) by concatenating strings with user input and splitting on spaces, instead of using a safer array-based method like other tools in the codebase. This allows attackers to inject malicious kubectl flags to expose internal services or target resources in unintended ways.

Kiro IDE (a development environment that uses AI agents to help developers) has a cross-site scripting vulnerability (XSS, where an attacker injects malicious code that runs in a web browser) in versions before 0.8.140. An attacker can exploit this by creating a malicious workspace with a crafted color theme name, and if a user opens and trusts that workspace, the attacker's code will execute on their computer.

A vulnerability in OpenAI Codex CLI v0.23.0 and earlier allows attackers to execute arbitrary code by creating malicious configuration files (.env and .codex/config.toml) in a repository. When a user runs the codex command in a compromised repository, the tool automatically loads these files without asking for permission, triggering the attacker's embedded commands.

An SSH/SCP option injection vulnerability in the @aiondadotcom/mcp-ssh library allowed attackers to execute arbitrary commands locally on the machine running the MCP server (a tool that connects an AI to external systems). By crafting malicious input like `-oProxyCommand=...`, attackers could trick SSH into running their code before any network connection happened, potentially stealing SSH keys and credentials. The vulnerability could be triggered even without a malicious user, since an LLM (large language model) could be tricked through prompt injection (hiding attacker instructions in text it reads) to pass the malicious input to the tool.