Flowise Server-Side Request Forgery Vulnerability in Fetch Links Endpoint

A Server-Side Request Forgery (SSRF) vulnerability exists in Flowise version 3.0.5, specifically within the '/api/v1/fetch-links' endpoint. This vulnerability allows attackers to use the Flowise server as a proxy to access and enumerate internal network web services, potentially exposing sensitive administrative URLs and their link structures. The issue arises because the endpoint does not validate user-supplied URLs before fetching them, particularly when the 'relativeLinksMethod' parameter is set to 'webCrawl' or 'xmlScrape'. This flaw has been patched in version 3.0.6.

Impact

Exploitation of this vulnerability allows for internal web service enumeration via the Flowise server, with the potential to access sensitive administrative endpoints and their associated data. This could lead to unauthorized exposure of internal configurations, credentials, and secrets, significantly increasing the risk of lateral movement within an enterprise environment.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/v1/fetch-links' endpoint with a URL pointing to an internal service, and set the 'relativeLinksMethod' parameter to 'webCrawl' or 'xmlScrape'. Include a valid Bearer token for authentication. The response will contain the link structure of the internal service, including sensitive administrative URLs.

Remediation

Users can update to Flowise version 3.0.6, where this vulnerability has been patched.