{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/npm/flowise-components/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FlowiseAI","npm/flowise","npm/flowise-components"],"_cs_severities":["high"],"_cs_tags":["ssrf","flowiseai","prompt-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI, a low-code open-source platform for building custom LLM flows, is vulnerable to Server-Side Request Forgery (SSRF) in its POST/GET API Chain components. This vulnerability, affecting versions 3.0.13 and earlier, allows unauthenticated attackers to inject malicious prompt templates into the API documentation, causing the FlowiseAI server to make arbitrary HTTP requests to internal and external systems. The root cause is the lack of validation when constructing URLs and request parameters from LLM responses. Attackers can exploit this by providing fake API documentation that redirects requests to sensitive internal services, enabling internal network reconnaissance, credential access, and data exfiltration. This vulnerability poses a significant risk as it allows attackers to bypass intended API constraints and potentially gain unauthorized access to internal resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious prompt containing a manipulated API documentation section.\u003c/li\u003e\n\u003cli\u003eThis malicious prompt is injected into the FlowiseAI API Chain component via user-controlled input.\u003c/li\u003e\n\u003cli\u003eThe API Chain component uses an LLM to generate a URL and data parameters based on the injected API documentation.\u003c/li\u003e\n\u003cli\u003eDue to lack of validation, the system constructs an HTTP request using the attacker-controlled URL and data.\u003c/li\u003e\n\u003cli\u003eThe FlowiseAI server executes the HTTP request to the attacker-specified internal or external endpoint using the \u003ccode\u003efetch\u003c/code\u003e function in \u003ccode\u003epostCore.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to interact with internal APIs, cloud metadata endpoints, or other sensitive resources that trust the FlowiseAI server.\u003c/li\u003e\n\u003cli\u003eThe attacker scans internal network services to identify running applications and open ports.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data obtained from internal services or cloud metadata.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe SSRF vulnerability allows unauthenticated attackers to abuse the FlowiseAI server as a proxy, leading to internal network reconnaissance, access to cloud metadata, exploitation of internal services, and potential data exfiltration. A successful attack can compromise sensitive internal data, bypass firewall rules, and allow attackers to pivot to other internal resources. Affected packages include \u003ccode\u003enpm/flowise\u003c/code\u003e and \u003ccode\u003enpm/flowise-components\u003c/code\u003e with versions 3.0.13 and earlier. This vulnerability enables attackers to scan internal network services and potentially access cloud metadata endpoints to retrieve credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade to versions later than 3.0.13 for \u003ccode\u003enpm/flowise\u003c/code\u003e and \u003ccode\u003enpm/flowise-components\u003c/code\u003e to remediate the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;FlowiseAI Suspicious Internal Network Connection\u0026quot; to detect unauthorized connections to internal networks originating from FlowiseAI servers.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic originating from FlowiseAI servers for connections to internal IP ranges or sensitive internal services, based on the IOCs provided.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for user-provided API documentation to prevent prompt injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-flowise-ssrf/","summary":"A Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components, allowing unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems by injecting malicious prompt templates.","title":"FlowiseAI API Chain SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-09-flowise-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Npm/Flowise-Components","version":"https://jsonfeed.org/version/1.1"}