Flowise Airtable Agent Prompt Injection Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Flowise, specifically in versions prior to 3.1.0. The issue arises in the Airtable_Agents class, where the run method lacks proper sandboxing when executing Python scripts generated by a large language model (LLM). This vulnerability allows an unauthenticated attacker to send prompts that could be transformed into malicious Python code, executing commands on the Flowise server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the Flowise server, with the executed code running in the context of the user operating the server.

Reproduction

The vulnerability can be reproduced by sending a prompt injection to a chatflow that uses the Airtable Agent node. This can be done through the Flowise interface or by using the provided proof of concept script. The injected prompt should be crafted to bypass the LLM's content filters and include malicious Python code that, once executed, performs an action such as running a system command.

Remediation

Users are advised to update to Flowise version 3.1.0 or later, where this vulnerability has been patched.