जमा करें #777668: FlowiseAI Flowise <= 3.0.12 Server-Side Request Forgery (CWE-918)जानकारी

शीर्षक	FlowiseAI Flowise <= 3.0.12 Server-Side Request Forgery (CWE-918)
विवरण	# Technical Details A Server-Side Request Forgery (SSRF) vulnerability exists in the OpenAPI Toolkit component `packages/components/nodes/tools/OpenAPIToolkit/OpenAPIToolkit.ts` of FlowiseAI Flowise. The loadOpenApiSpec() method fetches user-specified OpenAPI spec URLs using raw fetch() without the secureFetch wrapper introduced in the DNS Rebinding fix (GHSA-2x8m-83vc-6wv4, commit 643ebf5). This completely bypasses HTTP_DENY_LIST. Unlike typical blind SSRFs, the response is fully parsed as JSON/YAML and returned to the attacker through the API response, enabling complete structured data exfiltration. The SSRF fires during node configuration (listServers, listEndpoints) via POST /api/v1/node-load-method/openAPIToolkit, not just during chatflow execution. # Vulnerable Code File: packages/components/nodes/tools/OpenAPIToolkit/OpenAPIToolkit.ts (line 287) Method: loadOpenApiSpec() Why: Uses raw fetch(openApiLink) instead of secureFetch(). The openApiLink is user-controlled input. The response is parsed as JSON/YAML and returned through listServers and listEndpoints methods, enabling structured data exfiltration. # Reproduction 1. Deploy Flowise with deny list: docker run -d -e HTTP_DENY_LIST="x.x.x.x/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8" -p 3001:3000 flowiseai/flowise:latest 2. Start an HTTP listener serving a fake OpenAPI spec on the host. 3. Authenticate and trigger SSRF: POST /api/v1/node-load-method/openAPIToolkit with {"loadMethod":"listServers","inputs":{"inputType":"link","openApiLink":"http://172.17.0.1:9997/ssrf-spec.json"}} 4. The response contains parsed data from the internal service (server URLs, descriptions) despite the target IP being in the deny list. # Impact - Steal cloud metadata (AWS IAM credentials via x.x.x.x). - Query internal APIs with full structured response exfiltration. - Scan internal networks, bypass network segmentation. - Fires during node configuration, lowering exploitation barrier.
स्रोत	⚠️ https://gist.github.com/YLChen-007/75c3d4803d36cf162302b28f3233fdce
उपयोगकर्ता	Eric-a (UID 96353)
सबमिशन	11/03/2026 03:12 PM (3 महीनों पहले)
संयम	06/05/2026 09:43 AM (2 months later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	361279 [FlowiseAI Flowise तक 3.0.12 OpenAPI Toolkit OpenAPIToolkit.ts loadOpenApiSpec अधिकार वृद्धि]
अंक	20

◂ पिछला सिंहावलोकन अगला ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!