提交 #777658: FlowiseAI Flowise <= 3.0.12 Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)信息

标题	FlowiseAI Flowise <= 3.0.12 Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
描述	# Technical Details An Incomplete Fix for Mass Assignment vulnerability exists in multiple controllers of FlowiseAI Flowise, including `chatflows/index.ts`, `variables/index.ts`, `tools/index.ts`, and `datasets/index.ts`. The application uses `Object.assign(entity, req.body)` to bind user-supplied HTTP request bodies directly onto TypeORM entity models without any field whitelisting. While the original patch (PR #5668) fixed the `createLead` function, the same vulnerable pattern was left unpatched in 15+ API endpoints. An attacker can inject unexpected JSON fields (e.g., "isPublic": true) to escalate privileges, expose private ChatFlows publicly without authentication, hijack API key bindings, and manipulate resource ownership. # Vulnerable Code File: packages/server/src/controllers/chatflows/index.ts (Lines 151-155) Method: Multiple controllers using Object.assign(newEntity, body) pattern Why: All properties from req.body are copied directly onto entity objects without field whitelisting. Fields like isPublic, apikeyid, workspaceId are valid model properties that can be injected by attackers. # Reproduction 1. Deploy Flowise: docker run -d --name flowise -p 3000:3000 flowiseai/flowise:latest 2. Authenticate and get JWT cookie. 3. Create a ChatFlow with injected "isPublic": true: POST /api/v1/chatflows with {"name":"poc","flowData":"...","type":"CHATFLOW","isPublic":true} 4. Verify unauthenticated access: GET /api/v1/public-chatflows/<id> returns the chatflow without auth. 5. Hijack API key: PUT /api/v1/chatflows/<id> with {"apikeyid":"attacker-key-id"} # Impact - Private ChatFlows silently converted to public, exposing sensitive flow data. - API key bindings can be hijacked. - Cross-tenant data manipulation in multi-tenant configurations via workspaceId injection.
来源	⚠️ https://gist.github.com/YLChen-007/1d1520a4c80eab8d3c57dbd0b4da0d87
用户	Eric-a (UID 96353)
提交	2026-03-11 14時59分 (3 月前)
管理	2026-05-06 09時40分 (2 months later)
状态	已接受
VulDB条目	361275 [FlowiseAI Flowise 直到 3.0.12 API Endpoint createLead 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Do you need the next level of professionalism?

Upgrade your account now!