Flowise CSVAgent Authenticated Remote Code Execution
Flowise versions 3.0.13 and earlier are vulnerable to authenticated remote code execution due to missing sanitization in the CSVAgent component's customReadCSVFunc parameter, leading to arbitrary code injection and server compromise.
Flowise, an open-source visual AI workflow tool, is vulnerable to a critical remote code execution (RCE) flaw in versions 3.0.13 and earlier. The vulnerability exists within the CSVAgent component, where the customReadCSVFunc parameter is not properly sanitized. This allows an authenticated attacker to inject arbitrary code into the code variable, which is then executed by the pyodide library on the server. The attack requires authentication but can be bypassed if FLOWISE_USERNAME and FLOWISE_PASSWORD are not set and the attacker provides the "x-request-from": "internal" header. Successful exploitation grants the attacker the ability to execute arbitrary commands on the underlying server, leading to a complete system compromise. The vulnerability was disclosed in GitHub Advisory GHSA-9wc7-mj3f-74xv.
Attack Chain
- The attacker authenticates to the Flowise application, or bypasses authentication by setting the
x-request-fromheader. - The attacker crafts a malicious payload containing Python code for execution, embedding OS commands such as
whoami. Example:DataFrame({'foo': ['bar!']});import os;os.system('whoami'). - The attacker creates a new chat flow via a
POSTrequest to/api/v1/chatflows, including a CSVAgent node with the malicious payload in thecustomReadCSVfield. - The server saves the attacker-controlled
customReadCSVcode within the chat flow definition. - The attacker triggers the execution of the crafted chat flow by sending a
POSTrequest to/api/v1/prediction/[CHATFLOWID], which invokes the CSVAgent. - The
pyodide.runPythonAsyncfunction executes the injected code due to insufficient sanitization of thecustomReadCSVinput. - The injected code executes arbitrary OS commands on the server.
- The attacker gains full control of the Flowise server.
Impact
Successful exploitation of this vulnerability results in Remote Code Execution (RCE) on the Flowise server. This allows an attacker to execute arbitrary commands, potentially leading to complete system compromise. Affected versions include Flowise and Flowise-components up to and including version 3.0.13. The impact is critical, as it allows for unauthorized access and control of the server infrastructure.
Recommendation
- Upgrade Flowise and Flowise-components to a version higher than 3.0.13 to patch the vulnerability (GHSA-9wc7-mj3f-74xv).
- Enforce strong authentication and authorization policies for the Flowise application to prevent unauthorized access and exploitation.
- Deploy the Sigma rule
Detect Flowise CSVAgent RCE Attempt via Malicious customReadCSVto identify exploitation attempts based on suspicious strings in HTTP request bodies targeting the/api/v1/chatflowsendpoint. - Monitor web server logs for POST requests to
/api/v1/chatflowsand/api/v1/predictionwith suspicious code-like strings in the request body, especially within thecustomReadCSVparameter.
Detection coverage 2
Detect Flowise CSVAgent RCE Attempt via Malicious customReadCSV
criticalDetects potential RCE attempts in Flowise CSVAgent by identifying suspicious code-like strings within the customReadCSV parameter in POST requests to the /api/v1/chatflows endpoint.
Detect Flowise Authentication Bypass Attempt
mediumDetects attempts to bypass Flowise authentication by checking for the `x-request-from: internal` header in requests to sensitive API endpoints.
Detection queries are available on the platform. Get full rules →