CVE-2024-58351 Flowise CVE debrief

Who should care

Organizations using Flowise before version 2.1.4 should prioritize patching to prevent potential remote code execution, denial of service, and data exfiltration attacks. Security teams and administrators responsible for maintaining Flowise installations are urged to review and update their systems accordingly.

Technical summary

The vulnerability exists in Flowise's overrideConfig option, which allows configuration injection into the Chainflow during execution. This feature is enabled by default and lacks an allow-list of permitted variables. Relying on vm2 for sandboxing, an attacker can exploit this to achieve remote code execution and sandbox escape, denial of service by crashing the server, server-side request forgery, prompt injection, and server variable and data exfiltration. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a critical severity with a score of 9.3.

Defensive priority

Critical due to remote code execution and high impact potential

Recommended defensive actions

• Update Flowise to version 2.1.4 or later
• Review and restrict the use of overrideConfig option
• Implement additional monitoring for suspicious Chainflow executions
• Conduct a thorough inventory of Flowise installations
• Verify the integrity of Chainflow configurations

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and details provided by Vulncheck. The affected product is Flowise, with versions before 2.1.4 being vulnerable. The evidence limits are based on the information available up to the publication date. Defenders should verify the official CVE record and vendor advisories for the most current information.

Official resources