Improper Control of Generation of Code ('Code Injection') Affecting flowise package, versions <2.0.6


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
0.27% (69th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Control of Generation of Code ('Code Injection') vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-FLOWISE-6730105
  • published30 Apr 2024
  • disclosed29 Apr 2024
  • creditUnknown

Introduced: 29 Apr 2024

CVE-2024-31621  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade flowise to version 2.0.6 or higher.

Overview

flowise is a Flowiseai Server

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to improper input validation in the api/v1 component. An attacker can execute arbitrary code by sending a crafted script.

PoC

curl http://localhost:3000/Api/v1/credentials

CVSS Scores

version 3.1