flowise-components@3.0.13

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs inadequate input validation in the validateCommandFlags and validateArgsForLocalFileAccess functions. An attacker can execute arbitrary commands on the server by bypassing command flag blacklists and local file access restrictions through crafted arguments to the MCP interface. This is only exploitable if the attacker has an account or API access with view and update permissions for chatflows, and the deployment environment has the required commands (such as docker or npx) available.

Upgrade flowise-components to version 3.1.2 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the run() function of the CSV_Agents class when evaluating LLM-generated Python scripts in a pyodide environment without sufficient sandboxing. An attacker can execute arbitrary code on the server by crafting prompts that bypass input validation and cause malicious Python code to be executed. This can be achieved by sending specially crafted prompts to a chatflow using the CSV Agent node, resulting in the execution of attacker-controlled commands in the context of the server process.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Arbitrary File Upload in the createAttachment in Chatflow. An attacker can upload and persistently store malicious JavaScript files on the server by bypassing MIME type validation, which may lead to the execution of arbitrary code if the uploaded file is triggered.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via ExecuteFlow.ts. An attacker can cause the server to initiate HTTP requests to internal network addresses, potentially accessing sensitive management interfaces or leaking confidential information by supplying a crafted base URL value

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the URL-fetching tool in ExecuteFlow.ts, APILoader.ts, FireCrawl.ts, SpiderApp.ts, AzureRerank.ts, Jira/core.ts, MCP/core.ts, OpenAPIToolkit.ts, and Searxng.ts. An attacker can make the application send requests to arbitrary internal or external endpoints by supplying a crafted URL, redirect target, or API endpoint to these components. The vulnerable request handlers follow attacker-controlled URLs without consistently enforcing the deny list or pinning redirects, allowing malicious input to drive the server to protected network services, metadata endpoints, or other unintended hosts. In deployments that expose these tools to untrusted users or remote integrations, this can leak internal data and enable access to services reachable only from the Flowise host.

Notes

• HTTP_DENY_LIST is only effective when requests go through packages/components/src/httpSecurity.ts; components that call raw node-fetch/axios bypass that centralized validation entirely, so deployments relying on the deny list for egress control did not get protection from those paths.

Workarounds

• Disable or restrict access to the vulnerable URL-fetching tools, especially OpenAPIToolkit, MCP, Jira, Searxng, ExecuteFlow, APILoader, FireCrawl, SpiderApp, and AzureRerank, when they can be reached by untrusted users or remote integrations; this prevents attacker-supplied URLs from being used to reach internal or metadata endpoints.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via postCore.ts. An attacker can cause the server to make arbitrary HTTP requests to internal or external systems by injecting malicious prompt templates that manipulate API documentation and override intended URL constraints.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Command Injection via the Custom MCP configuration in http://localhost:3000/canvas. An attacker can execute arbitrary commands on the underlying operating system by supplying crafted arguments to the command and args fields when adding a new MCP stdio server. This is possible even with existing input sanitization checks, as certain command combinations can bypass these protections.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Directory Traversal via the vector store path handling in Faiss.ts and SimpleStore.ts. An attacker can read from or write to unintended filesystem locations by supplying a crafted basePath when creating or loading a vector store. This can overwrite application files or place vector store data outside the intended storage area, leading to data integrity loss and exposing local files to any deployment that accepts untrusted flow configuration or node inputs.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the getHttpDenyList process in httpSecurity.ts. An attacker can reach internal or otherwise denied HTTP endpoints by supplying requests that rely on the HTTP deny list by using built-in modules such as http, https, or net. This leaves deployments exposed to server-side request forgery against services that operators expected to be blocked, allowing access to internal network resources and any data or actions those endpoints expose.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic through the GraphCypherQA_Chain request handling and graph.query execution path in GraphCypherQAChain.ts. An attacker can force the chain to generate and run malicious Cypher by supplying crafted natural-language prompts that override the LLM instructions or embed Cypher control tokens. The vulnerable path accepts attacker-controlled input, passes it into the LLM, and executes the resulting query against the backing graph without reliably constraining it. A successful attack can delete or modify graph data and expose records returned by the database, resulting in data corruption and unintended disclosure.

Notes

• The advisory’s exploit path assumes a chatflow that wires GraphCypherQAChain to a live Neo4j graph connection and exposes the prediction endpoint; deployments that include the node but do not connect a graph backend, or do not publish /api/v1/prediction/{flowId}, do not present the same reachable surface.

Workarounds

• Restrict access to the chatflow prediction endpoint POST /api/v1/prediction/{flowId} so only trusted users can reach a Graph Cypher QA Chain flow; this prevents an attacker from sending crafted prompts that trigger Cypher injection against the connected Neo4j database.
• Remove or disable the Graph Cypher QA Chain node from any chatflow that is exposed to untrusted input; this prevents attacker-controlled prompts from reaching the graph.query execution path.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Arbitrary Code Injection through the pythonCodeValidator and the Python execution paths in AirtableAgent.ts and CSVAgent.ts. An attacker can supply LLM-generated Python code that smuggles in additional imports or reflection-based access and have it executed inside the Pyodide runtime. This lets the attacker run unauthorized Python code in memory, exposing or manipulating data handled by the agent and potentially reaching host-level functionality available to the runtime.

Workarounds

• Disable or avoid using the Airtable Agent and CSV Agent paths that execute LLM-generated Python, so attacker-supplied prompt injection cannot reach Pyodide execution.
• If you must keep those agents enabled, block any generated Python that contains import statements, including from ... import ..., so the model cannot add extra modules before execution.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Partial String Comparison due to the replaceInputsWithConfig logic in packages/server/src/utils/index.ts. An attacker can override flow parameters by supplying a crafted override configuration in a prediction request. This lets the attacker override restricted inputs, including file-backed inputs, into the runtime flow and alter how the server processes the request.

Notes

• The RCE path in the maintainer's advisory depends on NODE_OPTIONS being accepted inside the overridden mcpServerConfig.
• The bypass only matters when API Override is enabled on a publicly reachable chatflow, because that is what allows request-supplied override JSON to reach the parameter-merging logic.

Workarounds

• Disable API Override for chatflows that do not need user-supplied configuration overrides, so attackers cannot supply crafted overrideConfig values to bypass parameter restrictions.
• Keep the chatflow private instead of making it public, so unauthenticated users cannot send the single-request payload needed to reach the override path.
• Remove or avoid Custom MCP nodes in exposed chatflows, so attackers cannot use mcpServerConfig overrides to inject NODE_OPTIONS and execute arbitrary commands.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting valid JWTs using publicly known default secrets. This is only exploitable if the environment variables for JWT secrets are not explicitly set and the application is deployed with default values.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization. This is only exploitable if the attacker is authenticated or can bypass authentication by providing the "x-request-from: internal" header when FLOWISE_USERNAME and FLOWISE_PASSWORD are not set.

Upgrade flowise-components to version 3.1.0 or higher.

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the secureAxiosRequest and secureFetch functions. An attacker can gain unauthorized access to internal services and potentially exfiltrate sensitive data or manipulate internal resources by bypassing allow/deny list protections through DNS rebinding or exploiting insecure default configurations. This is only exploitable if the environment variable HTTP_DENY_LIST is unset or misconfigured.

Upgrade flowise-components to version 3.1.0 or higher.