CVE Catalog

CVE-2024-58351

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.65%

46th percentile — higher than 46% of all known CVEs

Summary

Flowise versions before 2.1.4 allow configuration to be injected into the Chainflow during execution via the overrideConfig option. This feature is enabled by default and lacks a allow-list of permitted variables, enabling attackers to achieve remote code execution and other serious attacks.

Risk Assessment

The organization is at risk of remote code execution, server crashes, and data exfiltration, which can lead to severe security and availability consequences.

Recommendation

It is recommended to update Flowise to version 2.1.4 or later and review the configuration to disable the overrideConfig option if it is not necessary.

Original NVD description (English source)

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relies on vm2 for sandboxing, an attacker can abuse it to achieve remote code execution and sandbox escape, denial of service by crashing the server, server-side request forgery, prompt injection, and server variable and data exfiltration. These issues are self-targeted and do not persist to other users.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS