Flowise Server-Side Request Forgery Protection Bypass Vulnerability

A vulnerability in Flowise versions prior to 3.1.0 allows for bypassing the Server-Side Request Forgery (SSRF) protection mechanisms. The core security functions, secureAxiosRequest and secureFetch, contain logic flaws that can be exploited. Attackers can manipulate the allow/deny lists through DNS Rebinding attacks or take advantage of the default configuration, which does not enforce any deny list. This vulnerability is addressed in Flowise version 3.1.0.

Impact

Exploiting this vulnerability could lead to unauthorized access to internal services, potentially allowing for sensitive data exposure or manipulation, depending on the nature of the accessed service.

Reproduction

The vulnerability can be reproduced by ensuring that the HTTP_DENY_LIST environment variable is unset, which is the default behavior. Once this variable is unset, any request made to localhost through the secureFetch function will be allowed, bypassing the intended security measures. Additionally, the vulnerability can be demonstrated through a DNS Rebinding attack, where an attacker controls a domain and manipulates DNS responses to first present a safe IP address and then switch to an internal IP, effectively bypassing the SSRF protection.

Remediation

Users are advised to update Flowise to version 3.1.0 or later, where this vulnerability has been fixed.