Partial String Comparison Affecting flowise-components package, versions <3.1.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-FLOWISECOMPONENTS-16110832
- published20 Apr 2026
- disclosed16 Apr 2026
- creditretpoline
Introduced: 16 Apr 2026
New CVE NOT AVAILABLE CWE-187 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade flowise-components to version 3.1.0 or higher.
Overview
flowise-components is a Flowiseai Components
Affected versions of this package are vulnerable to Partial String Comparison due to the replaceInputsWithConfig logic in packages/server/src/utils/index.ts. An attacker can override flow parameters by supplying a crafted override configuration in a prediction request. This lets the attacker override restricted inputs, including file-backed inputs, into the runtime flow and alter how the server processes the request.
Notes
- The RCE path in the maintainer's advisory depends on
NODE_OPTIONSbeing accepted inside the overriddenmcpServerConfig. - The bypass only matters when
API Overrideis enabled on a publicly reachable chatflow, because that is what allows request-supplied override JSON to reach the parameter-merging logic.
Workarounds
- Disable
API Overridefor chatflows that do not need user-supplied configuration overrides, so attackers cannot supply craftedoverrideConfigvalues to bypass parameter restrictions. - Keep the chatflow private instead of making it public, so unauthenticated users cannot send the single-request payload needed to reach the override path.
- Remove or avoid
Custom MCPnodes in exposed chatflows, so attackers cannot usemcpServerConfigoverrides to injectNODE_OPTIONSand execute arbitrary commands.