CVE-2024-36421

HIGH

Flowise 1.4.3 - Unauthenticated Origin Validation Error via CORS Misconfiguration

Title source: llm

Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/

Product x_refsource_misc

https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L122

View Writeup ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0849

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-346

Status published

Products (2)

flowiseai/flowise 1.4.3

npm/flowise 0npm

Published Jul 01, 2024

Tracked Since Feb 18, 2026