GHSA-5CPH-WVM9-45GJ
Vulnerability from github – Published: 2024-11-21 22:21 – Updated: 2024-11-21 22:21Impact
Flowise allows developers to inject configuration into the Chainflow during execution through the overrideConfig option. This is supported in both the frontend web integration and the backend Prediction API.
This has a range of fundamental issues that are a major security vulnerability. While this feature is intentional, it should have strong protections added and be disabled by default.
These issues include: 1. Remote code execution. While inside a sandbox this allows for 1. Sandbox escape 2. DoS by crashing the server 3. SSRF 2. Prompt Injection, both System and User 1. Full control over LLM prompts 2. Server variable and data exfiltration And many many more such as altering the flow of a conversation, prompt exfiltration via LLM proxying etc.
These issues are self-targeted and do not persist to other users but do leave the server and business exposed. All issues are shown with the API but also work with the web embed.
Workarounds
overrideConfigshould be disabled by defaultoverrideConfigshould have an explicit allow list of variables that are allowed to be modified. This way the user opts-in to where modifications can be made.vm2and any forks of it should be removed as in the authors own words, "fixing the vulnerability seems impossible". The recommended replacement is https://www.npmjs.com/package/isolated-vm
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "flowise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-21T22:21:03Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nFlowise allows developers to inject configuration into the Chainflow during execution through the `overrideConfig` option. This is supported in both the frontend web integration and the backend Prediction API. \n\nThis has a range of fundamental issues that are a **major** security vulnerability. \nWhile this feature is intentional, it should have strong protections added and be disabled by default. \n\nThese issues include: \n1. Remote code execution. While inside a sandbox this allows for\n 1. Sandbox escape \n 2. DoS by crashing the server\n 3. SSRF\n2. Prompt Injection, both System and User\n 1. Full control over LLM prompts\n 2. Server variable and data exfiltration\nAnd many many more such as altering the flow of a conversation, prompt exfiltration via LLM proxying etc.\n\nThese issues are self-targeted and do not persist to other users but do leave the server and business exposed. \nAll issues are shown with the API but also work with the web embed.\n\n### Workarounds\n- `overrideConfig` should be disabled by default\n- `overrideConfig` should have an explicit allow list of variables that are allowed to be modified. This way the user opts-in to where modifications can be made. \n- `vm2` and any forks of it should be removed as in the authors own words, \"fixing the vulnerability seems impossible\". The recommended replacement is https://www.npmjs.com/package/isolated-vm",
"id": "GHSA-5cph-wvm9-45gj",
"modified": "2024-11-21T22:21:03Z",
"published": "2024-11-21T22:21:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5cph-wvm9-45gj"
},
{
"type": "PACKAGE",
"url": "https://github.com/FlowiseAI/Flowise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Flowise OverrideConfig security vulnerability"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.