CVE-2024-31621
published 2024-04-29CVE-2024-31621: An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component.
PriorityP273high7.6CVSS 3.1
AVNACLPRLUINSUCLIHAL
EXPLOIT
EPSS
59.87%
99.0th percentile
An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | <= 1.6.5 | — |
| flowiseai | flowise | >= 0 < 1.8.1 | 1.8.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass is triggered by sending requests to /api/v1/ endpoints using uppercase path variants (e.g., /API/V1/ or /Api/v1/). Detect HTTP requests where the path contains case-variant forms of '/api/v1/' such as '/API/V1/', '/Api/V1/', etc., which bypass the case-sensitive middleware check. ↗
- →A successful exploit response to /API/V1/credentials will contain both '"credentialName":' and '"updatedDate":' in the response body with HTTP 200, indicating unauthenticated credential data exposure. ↗
- →Attackers may use Burp Suite Match and Replace rules to automatically uppercase /api/v1 to /API/V1 in all proxy requests. Monitor for proxy tool signatures alongside uppercase API path patterns. ↗
- →Flowise instances exposed on the internet can be identified via Shodan using the favicon hash -2051052918, which can be used to enumerate potentially vulnerable targets. ↗
- ·The authentication bypass only works against Flowise instances that have authentication enabled (basicAuthMiddleware). Instances running without authentication configured are unaffected by this specific bypass technique but are inherently open. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Flowise vulnerable to code injection via api/v1
ghsa·2024-04-29
CVE-2024-31621 [HIGH] CWE-94 Flowise vulnerable to code injection via api/v1
Flowise vulnerable to code injection via api/v1
An issue in FlowiseAI Inc Flowise prior to v1.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component.
OSV
Flowise vulnerable to code injection via api/v1
osv·2024-04-29
CVE-2024-31621 [HIGH] Flowise vulnerable to code injection via api/v1
Flowise vulnerable to code injection via api/v1
An issue in FlowiseAI Inc Flowise prior to v1.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component.
No detection rules found.
Exploit-DB
Flowise 1.6.5 - Authentication Bypass
exploitdb·2024-04-21·CVSS 7.6
CVE-2024-31621 [HIGH] Flowise 1.6.5 - Authentication Bypass
Flowise 1.6.5 - Authentication Bypass
---
# Exploit Title: Flowise 1.6.5 - Authentication Bypass
# Date: 17-April-2024
# Exploit Author: Maerifat Majeed
# Vendor Homepage: https://flowiseai.com/
# Software Link: https://github.com/FlowiseAI/Flowise/releases
# Version: 1.6.5
# Tested on: mac-os
# CVE : CVE-2024-31621
The flowise version {
> if (req.url.includes('/api/v1/')) {
> whitelistURLs.some((url) => req.url.includes(url)) ?
> next() : basicAuthMiddleware(req, res, next)
> } else next()
> })
puts authentication middleware for all the endpoints with path /api/v1
except a few whitelisted endpoints. But the code does check for the case
sensitivity hence only checks for lowercase /api/v1 . Anyone modifying the
endpoints to uppercase like /API/V1 can bypass the authentication.
*POC:*
Nuclei
Flowise 1.6.5 - Authentication Bypass
nuclei·CVSS 7.6
CVE-2024-31621 [HIGH] Flowise 1.6.5 - Authentication Bypass
Flowise 1.6.5 - Authentication Bypass
The flowise version <= 1.6.5 is vulnerable to authentication bypass vulnerability.
Template:
id: CVE-2024-31621
info:
name: Flowise 1.6.5 - Authentication Bypass
author: DhiyaneshDK
severity: high
description: |
The flowise version <= 1.6.5 is vulnerable to authentication bypass vulnerability.
impact: |
Attackers can bypass authentication and gain unauthorized access to the Flowise application and its data.
remediation: |
Update Flowise to version 1.6.6 or later.
reference:
- https://www.exploit-db.com/exploits/52001
- https://github.com/FlowiseAI/Flowise/releases
- https://flowiseai.com/
classification:
cve-id: CVE-2024-31621
cwe-id: CWE-94
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
cvss-score: 7.6
epss-score: 0.82509
epss-percenti
No writeups or analysis indexed.
2024-04-29
Published