Flowise DatasetRow Mass Assignment Vulnerability Allows Cross-Workspace Row Takeover

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, allowing cross-workspace row takeover in the DatasetRow entity. The issue arises because the DatasetRow controller mass-assigns client-controlled data, including workspace IDs, without proper validation. This flaw enables authenticated users to manipulate dataset rows across different workspaces, violating data isolation and potentially exposing sensitive information.

Impact

Exploitation of this vulnerability allows authenticated users to overwrite the workspace association of DatasetRow entries, causing data to be visible and accessible in unintended workspaces. This could lead to unauthorized access to training and evaluation records, disrupting workflow and data management.

Reproduction

To reproduce this vulnerability, an authenticated user must first create or identify a DatasetRow in their workspace. They can then send a request to update a DatasetRow by including a workspace ID from another workspace, effectively transferring the row to the new workspace. This action bypasses the intended workspace boundaries, as the update request is processed without stripping or validating the workspace ID.

Remediation

Users should update to Flowise version 3.1.2 or later, where this vulnerability has been patched. The update process can be done through the standard package management tools for the Node.js ecosystem.