CVE-2024-36421

HIGH

Flowise 1.4.3 - SSRF

Title source: llm

Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.

References (2)

[Exploit, Third Party Advisory] https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/

[Product] https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L122

View Writeup ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0163

EPSS Percentile 82.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-346

Status published

Products (2)

flowiseai/flowise 1.4.3

npm/flowise 0npm

Published Jul 01, 2024

Tracked Since Feb 18, 2026