Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01Y3BoLXd2bTktNDVnas4ABBnC

Flowise OverrideConfig security vulnerability

Impact

Flowise allows developers to inject configuration into the Chainflow during execution through the overrideConfig option. This is supported in both the frontend web integration and the backend Prediction API.

This has a range of fundamental issues that are a major security vulnerability.
While this feature is intentional, it should have strong protections added and be disabled by default.

These issues include:

  1. Remote code execution. While inside a sandbox this allows for
  2. Sandbox escape
  3. DoS by crashing the server
  4. SSRF
  5. Prompt Injection, both System and User
  6. Full control over LLM prompts
  7. Server variable and data exfiltration
    And many many more such as altering the flow of a conversation, prompt exfiltration via LLM proxying etc.

These issues are self-targeted and do not persist to other users but do leave the server and business exposed.
All issues are shown with the API but also work with the web embed.

Workarounds

Permalink: https://github.com/advisories/GHSA-5cph-wvm9-45gj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Y3BoLXd2bTktNDVnas4ABBnC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 19 days ago
Updated: 19 days ago


Identifiers: GHSA-5cph-wvm9-45gj
References: Repository: https://github.com/FlowiseAI/Flowise
Blast Radius: 0.0

Affected Packages

npm:flowise
Dependent packages: 0
Dependent repositories: 1
Downloads: 9,811 last month
Affected Version Ranges: < 2.1.4
Fixed in: 2.1.4
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.1.2, 2.1.3
All unaffected versions: 2.1.4, 2.1.5, 2.2.0