{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/nodevm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flowise \u003c= 3.1.1"],"_cs_severities":["critical"],"_cs_tags":["rce","sandbox-escape","nodevm"],"_cs_type":"advisory","_cs_vendors":["FlowiseAI"],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI orchestration flows, is vulnerable to authenticated remote code execution (RCE) affecting versions 3.1.1 and earlier. The vulnerability stems from a missing authorization check on the \u003ccode\u003e/api/v1/node-custom-function\u003c/code\u003e endpoint, enabling any authenticated user or API key holder to submit malicious JavaScript code to the \u003ccode\u003eCustom JS Function\u003c/code\u003e node. When the \u003ccode\u003eE2B_APIKEY\u003c/code\u003e environment variable is not configured, the platform falls back to a \u003ccode\u003eNodeVM\u003c/code\u003e sandbox. Attackers can escape this sandbox, gain access to the host\u0026rsquo;s \u003ccode\u003eprocess\u003c/code\u003e object, and execute arbitrary system commands. This allows attackers to compromise the Flowise server, potentially leading to data breaches, service disruption, or further lateral movement within the network. Most self-hosted instances are affected because the NodeVM sandbox is enabled by default when \u003ccode\u003eE2B_APIKEY\u003c/code\u003e is not explicitly set.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the FlowiseAI application using valid credentials or a valid API key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JavaScript payload designed to escape the NodeVM sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003e/api/v1/node-custom-function\u003c/code\u003e endpoint, including the malicious JavaScript code in the \u003ccode\u003ejavascriptFunction\u003c/code\u003e parameter within the request body.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper authorization checks, executes the attacker-supplied JavaScript code within the Custom JS Function node.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript exploits an exception path within the NodeVM to escape the sandbox, gaining access to the host\u0026rsquo;s \u003ccode\u003eprocess\u003c/code\u003e object and \u003ccode\u003echild_process\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003echild_process\u003c/code\u003e module to execute arbitrary system commands on the Flowise server. For example, \u003ccode\u003ecp.execSync('id').toString().trim()\u003c/code\u003e to get the user ID.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the output of the executed command and potentially uses it to gather sensitive information or further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised server for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows any authenticated Flowise user to execute arbitrary commands on the Flowise server. This can lead to a full compromise of the server, including the ability to read environment variables and secrets, access the filesystem, and make outbound network requests. The default configuration, which relies on the vulnerable NodeVM sandbox when \u003ccode\u003eE2B_APIKEY\u003c/code\u003e is not configured, increases the attack surface, as the majority of self-hosted Flowise instances are likely affected. A successful attack can result in data breaches, service disruption, and further exploitation of the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;FlowiseAI NodeVM Sandbox Escape Attempt\u0026rdquo; Sigma rule to detect attempts to exploit this vulnerability by identifying the use of the \u003ccode\u003eError\u003c/code\u003e object and constructor chain manipulation within the \u003ccode\u003eCustom JS Function\u003c/code\u003e node.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;FlowiseAI Custom Function RCE via API\u0026rdquo; Sigma rule to detect HTTP requests to the \u003ccode\u003e/api/v1/node-custom-function\u003c/code\u003e endpoint with suspicious JavaScript payloads containing potentially malicious code execution patterns.\u003c/li\u003e\n\u003cli\u003eImmediately apply the recommended remediation steps: add explicit permission gating to \u003ccode\u003e/api/v1/node-custom-function\u003c/code\u003e, fail closed if \u003ccode\u003eE2B_APIKEY\u003c/code\u003e is absent, and restrict this endpoint from generic API key access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T14:59:44Z","date_published":"2026-05-14T14:59:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-rce/","summary":"FlowiseAI is vulnerable to authenticated remote code execution (RCE) due to a missing route-level authorization in the `/api/v1/node-custom-function` endpoint, allowing any authenticated user to execute arbitrary JavaScript and escape the NodeVM sandbox to run system commands.","title":"FlowiseAI Authenticated Remote Code Execution via NodeVM Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2026-05-flowiseai-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Nodevm","version":"https://jsonfeed.org/version/1.1"}