<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Npm/Flowise - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/npm/flowise/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/npm/flowise/feed.xml" rel="self" type="application/rss+xml"/><item><title>FlowiseAI API Chain SSRF Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-flowise-ssrf/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-flowise-ssrf/</guid><description>A Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components, allowing unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems by injecting malicious prompt templates.</description><content:encoded><![CDATA[<p>FlowiseAI, a low-code open-source platform for building custom LLM flows, is vulnerable to Server-Side Request Forgery (SSRF) in its POST/GET API Chain components. This vulnerability, affecting versions 3.0.13 and earlier, allows unauthenticated attackers to inject malicious prompt templates into the API documentation, causing the FlowiseAI server to make arbitrary HTTP requests to internal and external systems. The root cause is the lack of validation when constructing URLs and request parameters from LLM responses. Attackers can exploit this by providing fake API documentation that redirects requests to sensitive internal services, enabling internal network reconnaissance, credential access, and data exfiltration. This vulnerability poses a significant risk as it allows attackers to bypass intended API constraints and potentially gain unauthorized access to internal resources.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts a malicious prompt containing a manipulated API documentation section.</li>
<li>This malicious prompt is injected into the FlowiseAI API Chain component via user-controlled input.</li>
<li>The API Chain component uses an LLM to generate a URL and data parameters based on the injected API documentation.</li>
<li>Due to lack of validation, the system constructs an HTTP request using the attacker-controlled URL and data.</li>
<li>The FlowiseAI server executes the HTTP request to the attacker-specified internal or external endpoint using the <code>fetch</code> function in <code>postCore.ts</code>.</li>
<li>The attacker gains the ability to interact with internal APIs, cloud metadata endpoints, or other sensitive resources that trust the FlowiseAI server.</li>
<li>The attacker scans internal network services to identify running applications and open ports.</li>
<li>The attacker exfiltrates sensitive data obtained from internal services or cloud metadata.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The SSRF vulnerability allows unauthenticated attackers to abuse the FlowiseAI server as a proxy, leading to internal network reconnaissance, access to cloud metadata, exploitation of internal services, and potential data exfiltration. A successful attack can compromise sensitive internal data, bypass firewall rules, and allow attackers to pivot to other internal resources. Affected packages include <code>npm/flowise</code> and <code>npm/flowise-components</code> with versions 3.0.13 and earlier. This vulnerability enables attackers to scan internal network services and potentially access cloud metadata endpoints to retrieve credentials.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply patches or upgrade to versions later than 3.0.13 for <code>npm/flowise</code> and <code>npm/flowise-components</code> to remediate the SSRF vulnerability.</li>
<li>Deploy the Sigma rule &quot;FlowiseAI Suspicious Internal Network Connection&quot; to detect unauthorized connections to internal networks originating from FlowiseAI servers.</li>
<li>Monitor network traffic originating from FlowiseAI servers for connections to internal IP ranges or sensitive internal services, based on the IOCs provided.</li>
<li>Implement strict input validation and sanitization for user-provided API documentation to prevent prompt injection attacks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>flowiseai</category><category>prompt-injection</category><category>vulnerability</category></item></channel></rss>