CVE-2024-37146 – Flowise version 1.4.3 has a reflected cross-sit... (How to Fix)

Q: What is the severity of CVE-2024-37146?

CVE-2024-37146 has a CVSS score of 6.1 (MEDIUM). Flowise version 1.4.3 has a reflected cross-site scripting vulnerability in the /api/v1/credentials/id endpoint that allows attackers to inject malicious JavaScript via crafted URLs. This can lead to session hijacking, data theft, and file reading when chained with path injection. Organizations using Flowise 1.4.3 with default unauthenticated configuration are affected.

📋 TL;DR

Flowise version 1.4.3 has a reflected cross-site scripting vulnerability in the /api/v1/credentials/id endpoint that allows attackers to inject malicious JavaScript via crafted URLs. This can lead to session hijacking, data theft, and file reading when chained with path injection. Organizations using Flowise 1.4.3 with default unauthenticated configuration are affected.

💻 Affected Systems

Products:

Flowise

Versions: 1.4.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration runs without authentication, making systems immediately vulnerable. Authentication reduces but doesn't eliminate the vulnerability.

📦 What is this software?

Flowise by Flowiseai

View all CVEs affecting Flowise →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can steal sensitive data, hijack user sessions, read arbitrary files from the server, and redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers craft malicious URLs to steal session cookies and sensitive information from users who click the links, potentially gaining unauthorized access to Flowise data.

🟢

If Mitigated

With proper authentication enabled and input validation, the attack surface is significantly reduced, though the vulnerability still exists in the code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious URLs but doesn't need special tools. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: None

Restart Required: No

Instructions:

No official patch available. Monitor Flowise GitHub repository for updates and apply when available.

🔧 Temporary Workarounds

Enable Authentication

all

Configure Flowise to require authentication, preventing unauthenticated access to vulnerable endpoints.

Set FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables

Input Validation Filter

all

Implement server-side input validation to sanitize the 'id' parameter in the /api/v1/credentials/id endpoint.

Implement input sanitization in the server code to strip or encode HTML/JavaScript characters

🧯 If You Can't Patch

Isolate Flowise instances behind a reverse proxy with WAF rules to block XSS payloads
Restrict network access to Flowise to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Test by accessing /api/v1/credentials/id with a test payload like <script>alert('test')</script> and checking if it executes in the 404 page.

Check Version:

Check package.json or Flowise UI for version information

Verify Fix Applied:

After applying workarounds, test the same payload to ensure it's properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /api/v1/credentials/id with script tags or JavaScript payloads
Multiple 404 errors with suspicious parameter values

Network Indicators:

HTTP requests containing script tags or JavaScript in URL parameters
Unusual traffic patterns to the credentials endpoint

SIEM Query:

source="flowise.log" AND (uri="/api/v1/credentials/id" AND (param="<script>" OR param="javascript:"))

📊 Metadata

CVE ID: CVE-2024-37146

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 1, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/FlowiseAI/Flowise/blob/flowise-ui%401.4.0/packages/server/src/index.ts#L545-L545 Product
https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/ Exploit,Third Party Advisory
https://github.com/FlowiseAI/Flowise/blob/flowise-ui%401.4.0/packages/server/src/index.ts#L545-L545 Product
https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37146, you might also want to check these: