Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the …
The ReadFileTool in Flowise does not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read arbitrary files from the file system, potentially leading to remote command execution.
The WriteFileTool in Flowise does not restrict the file path for reading, allowing authenticated attackers to exploit this vulnerability to write arbitrary files to any path in the file system, potentially leading to remote command execution.
A file upload vulnerability in FlowiseAI allows authenticated users to upload arbitrary files without proper validation. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE).
User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host (not sandboxed) leading to RCE.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7r4h-vmj9-wg42. This link is maintained to preserve external references. Original Description Flowise before 3.0.5 allows XSS via a FORM element and an INPUT element when an admin views the chat log.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-964p-j4gg-mhwc. This link is maintained to preserve external references. Original Description Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log.
A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this XSS vulnerability to inject malicious script code (HTML code or client-side Javascript code) into web pages, and when users browse these web pages, the malicious code will be executed, and the victims may be vulnerable to various attacks such as cookie data theft, etc.
In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive information with stored Cross Site Scripting.
In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive information with stored Cross Site Scripting.
A stored Cross-Site Scripting (XSS) vulnerability in FlowiseAI allows a user to inject arbitrary JavaScript code via message input. When an administrator views messages using the "View Messages" button in the workflow UI, the malicious script executes in the context of the admin’s browser, enabling credential theft via access to localStorage.
A stored Cross-Site Scripting (XSS) vulnerability in FlowiseAI allows a user to inject arbitrary JavaScript code via message input. When an administrator views messages using the "View Messages" button in the workflow UI, the malicious script executes in the context of the admin’s browser, enabling credential theft via access to localStorage.
A Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The impact includes the potential exposure of sensitive internal administrative endpoints.
A Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The impact includes the potential exposure of sensitive internal administrative endpoints.
An authenticated admin user of FlowiseAI can exploit the Supabase RPC Filter component to execute arbitrary server-side code without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript's execSync() to launch reverse shells, access environment secrets, or perform any OS-level command execution. This results in full server compromise and severe breach of trust boundaries between frontend input and backend execution logic.
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, the default installation of Flowise operates without authentication unless explicitly configured using the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables. This combination presents a significant security risk, potentially allowing users on the platform to …
The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs …
The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs …
Missing chat flow id validation allows an attacker to access arbitrary file.
An arbitrary file read vulnerability in the chatId parameter supplied to both the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints allows unauthenticated users to read unintended files on the local filesystem. In the default Flowise configuration this allows reading of the local sqlite db and subsequent compromise of all database content.
The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments that expose the same API. CVSS v3.1 Base Score: 9.8 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hmgh-466j-fx4c. This link is maintained to preserve external references. Original Description User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.
import functions are vulnerable. importChatflows importTools importVariables
An attacker could write files with arbitrary content to the filesystem via the /api/v1/document-store/loader/process API. An attacker can reach RCE(Remote Code Execution) via file writing.
An unauthorized attacker can leverage the allow-listed route /api/v1/attachments to upload arbitrary files when the storageType is set to local (default).
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.