{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/flowiseai/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2025-61687"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["flowiseai","file-upload","rce","web-shell"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI applications, contains a file upload validation bypass vulnerability. By modifying the Chatflow configuration, specifically the \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e setting, an attacker can add \u003ccode\u003eapplication/javascript\u003c/code\u003e as an accepted MIME type. This bypasses previous mitigations (CVE-2025-61687) intended to prevent the upload of potentially malicious files. Although the frontend UI restricts JavaScript uploads, a direct API request can circumvent this. Successful exploitation allows attackers to persistently store Node.js web shells (e.g., shell.js) on the Flowise server. This vulnerability affects FlowiseAI versions up to 3.0.13. If executed, these web shells could grant the attacker Remote Code Execution (RCE) capabilities on the server, posing a significant risk to system integrity and data confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable FlowiseAI instance running a version \u0026lt;= 3.0.13.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the FlowiseAI instance as an administrator or with compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP PUT request to the \u003ccode\u003e/api/v1/chatflows/{CHATFLOW_ID}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe PUT request modifies the Chatflow configuration, specifically the \u003ccode\u003echatbotConfig\u003c/code\u003e to include \u003ccode\u003eapplication/javascript\u003c/code\u003e in the \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}\u003c/code\u003e endpoint to upload a \u003ccode\u003e.js\u003c/code\u003e file (Node.js web shell), such as the \u003ccode\u003eshell.js\u003c/code\u003e example.\u003c/li\u003e\n\u003cli\u003eThe server saves the malicious \u003ccode\u003e.js\u003c/code\u003e file to a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded \u003ccode\u003e.js\u003c/code\u003e file via a direct HTTP request.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands specified in the URL parameters, such as \u003ccode\u003ehttp://localhost:8888/?cmd=id\u003c/code\u003e, resulting in RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to upload and persistently store malicious web shells on the FlowiseAI server. Execution of these web shells grants the attacker the ability to execute arbitrary commands on the underlying system. This can lead to complete system compromise, data exfiltration, and denial of service. This vulnerability affects FlowiseAI versions up to 3.0.13.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to prevent modification of \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e settings.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for PUT requests to \u003ccode\u003e/api/v1/chatflows/{CHATFLOW_ID}\u003c/code\u003e modifying \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor for POST requests to \u003ccode\u003e/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}\u003c/code\u003e uploading \u003ccode\u003e.js\u003c/code\u003e files based on the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect suspicious HTTP requests indicative of this attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T14:00:00Z","date_published":"2026-04-17T14:00:00Z","id":"/briefs/2026-04-17-flowise-upload-bypass/","summary":"A file upload validation bypass vulnerability exists in FlowiseAI, where the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type, enabling an attacker to upload .js files, store malicious Node.js web shells on the server, and potentially achieve Remote Code Execution (RCE).","title":"FlowiseAI File Upload Validation Bypass Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-17-flowise-upload-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["flowiseai","rce","prompt-injection","airtable"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlowiseAI is susceptible to a remote code execution (RCE) vulnerability within the AirtableAgent function. This function, designed to retrieve and process datasets from Airtable.com, is flawed due to the lack of input sanitization. Specifically, user-supplied input is directly incorporated into a prompt template, which is then used to generate Python code executed by Pyodide. By injecting malicious payloads into the prompt, an attacker can bypass the intended behavior of the language model and execute arbitrary Python code, leading to complete system compromise. The vulnerability resides in \u003ccode\u003eAirtableAgent.ts\u003c/code\u003e and is triggered when the \u003ccode\u003einput\u003c/code\u003e variable, containing user-supplied data, is passed to the LLMChain without proper validation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious payload containing a prompt injection designed to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted payload via the FlowiseAI application to the AirtableAgent function.\u003c/li\u003e\n\u003cli\u003eThe payload is passed into the \u003ccode\u003einput\u003c/code\u003e variable without sanitization and incorporated into the prompt template within \u003ccode\u003esystemPrompt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LLMChain uses the crafted prompt, including the injected code, to generate a \u003ccode\u003epythonCode\u003c/code\u003e string.\u003c/li\u003e\n\u003cli\u003eThe generated \u003ccode\u003epythonCode\u003c/code\u003e string, containing the malicious code, is passed to the \u003ccode\u003epyodide.runPythonAsync()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003ePyodide executes the malicious Python code, leading to remote code execution on the FlowiseAI server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the FlowiseAI instance, potentially accessing sensitive data or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for complete remote code execution on the FlowiseAI server. This could lead to the compromise of sensitive data stored within Airtable datasets, as well as the potential for lateral movement to other systems on the network. The lack of input validation opens the door to attackers using prompt injection to bypass security measures and gain unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input sanitization and validation to the \u003ccode\u003einput\u003c/code\u003e variable within the AirtableAgent function in \u003ccode\u003eAirtableAgent.ts\u003c/code\u003e before it is incorporated into the prompt template.\u003c/li\u003e\n\u003cli\u003eImplement strict output filtering on the \u003ccode\u003epythonCode\u003c/code\u003e generated by the LLMChain to prevent the execution of potentially malicious code.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect prompt injection attempts targeting the AirtableAgent function.\u003c/li\u003e\n\u003cli\u003eRegularly audit and update FlowiseAI dependencies, including Pyodide and Pandas, to address any known security vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T21:43:57Z","date_published":"2026-04-16T21:43:57Z","id":"/briefs/2024-01-flowise-rce/","summary":"A remote code execution vulnerability exists in FlowiseAI's AirtableAgent.ts due to insufficient input verification when using Pandas, allowing attackers to inject malicious code into the prompt and execute arbitrary code via Pyodide.","title":"FlowiseAI AirtableAgent Remote Code Execution via Prompt Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-flowise-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Flowiseai","version":"https://jsonfeed.org/version/1.1"}