GHSA-7944-7c6r-55vv: FlowiseAI Pre-Auth Arbitrary Code Execution
An authenticated admin user of FlowiseAI can exploit the Supabase RPC Filter component to execute arbitrary server-side code without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript’s execSync() to launch reverse shells, access environment secrets, or perform any OS-level command execution.
This results in full server compromise and severe breach of trust boundaries between frontend input and backend execution logic.
References
- github.com/FlowiseAI/Flowise
- github.com/FlowiseAI/Flowise/blob/flowise%403.0.5/packages/components/nodes/vectorstores/Supabase/Supabase.ts
- github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-7944-7c6r-55vv
- github.com/advisories/GHSA-7944-7c6r-55vv
Code Behaviors & Features
Detect and mitigate GHSA-7944-7c6r-55vv with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →