flowise-ui 3.0.7

Direct Vulnerabilities

Known vulnerabilities in the flowise-ui package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Use of a Broken or Risky Cryptographic Algorithm flowise-ui is a Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the `process` that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting valid JWTs using publicly known default secrets. This is only exploitable if the environment variables for JWT secrets are not explicitly set and the application is deployed with default values. How to fix Use of a Broken or Risky Cryptographic Algorithm? Upgrade `flowise-ui` to version 3.1.0 or higher.	<3.1.0
C Arbitrary Code Injection flowise-ui is a Affected versions of this package are vulnerable to Arbitrary Code Injection via the `customReadCSVFunc` process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization. This is only exploitable if the attacker is authenticated or can bypass authentication by providing the "x-request-from: internal" header when `FLOWISE_USERNAME` and `FLOWISE_PASSWORD` are not set. How to fix Arbitrary Code Injection? Upgrade `flowise-ui` to version 3.1.0 or higher.	<3.1.0
C Incomplete List of Disallowed Inputs flowise-ui is a Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the `run` method of the Airtable_Agents class, which evaluates LLM-generated Python scripts in a non-sandboxed environment. An attacker can execute arbitrary code on the server by crafting malicious prompts or responses that bypass input validation, leading to the execution of system commands with the privileges of the server process. This can be achieved by sending specially crafted requests to chatflows using the Airtable Agent node, or by configuring a chatflow to use an attacker-controlled server or Airtable table. How to fix Incomplete List of Disallowed Inputs? Upgrade `flowise-ui` to version 3.1.0 or higher.	<3.1.0
C Server-side Request Forgery (SSRF) flowise-ui is a Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the HTTP Node as it is used in AgentFlow and Chatflow. An attacker can access internal network resources, retrieve sensitive information, or modify and delete data by supplying crafted URLs to the server, which then performs HTTP requests to internal or restricted endpoints on behalf of the attacker. This can lead to exposure of internal admin panels, cloud metadata, and allow further privilege escalation or lateral movement. How to fix Server-side Request Forgery (SSRF)? Upgrade `flowise-ui` to version 3.0.13 or higher.	<3.0.13
H Insufficient Session Expiration flowise-ui is a Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate active session tokens after a password change. An attacker can maintain unauthorized access by continuing to use a previously established `session` even after the legitimate user updates their credentials. How to fix Insufficient Session Expiration? Upgrade `flowise-ui` to version 3.0.9 or higher.	<3.0.9
H Unverified Password Change flowise-ui is a Affected versions of this package are vulnerable to Unverified Password Change via the profile update process. An attacker can gain unauthorized access to user accounts by changing the email address associated with an account without additional verification steps. Note: This is only exploitable if the attacker gains initial access to the account. How to fix Unverified Password Change? Upgrade `flowise-ui` to version 3.0.9 or higher.	<3.0.9
H Unverified Password Change flowise-ui is a Affected versions of this package are vulnerable to Unverified Password Change via the profile update process. An attacker can gain unauthorized access to user accounts by changing the authentication password without additional verification steps. Note: This is only exploitable if the attacker gains initial access to the account. How to fix Unverified Password Change? Upgrade `flowise-ui` to version 3.0.9 or higher.	<3.0.9
H Arbitrary File Upload flowise-ui is a Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload process. An attacker can store malicious files on the server by uploading files without proper validation of file type, extension, or content. This can result in the persistent presence of executable scripts, which may be triggered later to execute arbitrary commands on the server. How to fix Arbitrary File Upload? Upgrade `flowise-ui` to version 3.0.8 or higher.	<3.0.8

Vulnerability

Vulnerable Version

Use of a Broken or Risky Cryptographic Algorithm

flowise-ui is a

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting valid JWTs using publicly known default secrets. This is only exploitable if the environment variables for JWT secrets are not explicitly set and the application is deployed with default values.

How to fix Use of a Broken or Risky Cryptographic Algorithm?

Upgrade flowise-ui to version 3.1.0 or higher.

<3.1.0

Arbitrary Code Injection

flowise-ui is a

Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization. This is only exploitable if the attacker is authenticated or can bypass authentication by providing the "x-request-from: internal" header when FLOWISE_USERNAME and FLOWISE_PASSWORD are not set.

How to fix Arbitrary Code Injection?

Upgrade flowise-ui to version 3.1.0 or higher.

<3.1.0

Incomplete List of Disallowed Inputs

flowise-ui is a

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the run method of the Airtable_Agents class, which evaluates LLM-generated Python scripts in a non-sandboxed environment. An attacker can execute arbitrary code on the server by crafting malicious prompts or responses that bypass input validation, leading to the execution of system commands with the privileges of the server process. This can be achieved by sending specially crafted requests to chatflows using the Airtable Agent node, or by configuring a chatflow to use an attacker-controlled server or Airtable table.

How to fix Incomplete List of Disallowed Inputs?

Upgrade flowise-ui to version 3.1.0 or higher.

<3.1.0

Server-side Request Forgery (SSRF)

flowise-ui is a

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the HTTP Node as it is used in AgentFlow and Chatflow. An attacker can access internal network resources, retrieve sensitive information, or modify and delete data by supplying crafted URLs to the server, which then performs HTTP requests to internal or restricted endpoints on behalf of the attacker. This can lead to exposure of internal admin panels, cloud metadata, and allow further privilege escalation or lateral movement.

How to fix Server-side Request Forgery (SSRF)?

Upgrade flowise-ui to version 3.0.13 or higher.

<3.0.13

Insufficient Session Expiration

flowise-ui is a

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate active session tokens after a password change. An attacker can maintain unauthorized access by continuing to use a previously established session even after the legitimate user updates their credentials.

How to fix Insufficient Session Expiration?

Upgrade flowise-ui to version 3.0.9 or higher.

<3.0.9

Unverified Password Change

flowise-ui is a

Affected versions of this package are vulnerable to Unverified Password Change via the profile update process. An attacker can gain unauthorized access to user accounts by changing the email address associated with an account without additional verification steps.

Note: This is only exploitable if the attacker gains initial access to the account.

How to fix Unverified Password Change?

Upgrade flowise-ui to version 3.0.9 or higher.

<3.0.9

Unverified Password Change

flowise-ui is a

Affected versions of this package are vulnerable to Unverified Password Change via the profile update process. An attacker can gain unauthorized access to user accounts by changing the authentication password without additional verification steps.

Note: This is only exploitable if the attacker gains initial access to the account.

How to fix Unverified Password Change?

Upgrade flowise-ui to version 3.0.9 or higher.

<3.0.9

Arbitrary File Upload

flowise-ui is a

Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload process. An attacker can store malicious files on the server by uploading files without proper validation of file type, extension, or content. This can result in the persistent presence of executable scripts, which may be triggered later to execute arbitrary commands on the server.

How to fix Arbitrary File Upload?

Upgrade flowise-ui to version 3.0.8 or higher.

<3.0.8

flowise-ui@3.0.7

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically