GHSA-wxrr-jp8m-qq7f — HIGH

Q: Is GHSA-wxrr-jp8m-qq7f actively exploited?

No confirmed active exploitation of GHSA-wxrr-jp8m-qq7f has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-wxrr-jp8m-qq7f?

1. Patch: upgrade to flowise@3.1.2 which applies the explicit field allowlist pattern from PR #6050. 2. If immediate patching is blocked, block write access to /api/v1/evaluators at the network/reverse-proxy layer for all but trusted internal users. 3. Audit: query the evaluators table (SELECT id, workspaceId, updatedDate FROM evaluators ORDER BY updatedDate DESC) for rows where workspaceId changed without a corresponding legitimate owner action. 4. Expand audit: inspect all files matching packages/server/src/Interface.*.ts for the same Object.assign(entity, body) pattern — DocumentStore and Evaluator are confirmed instances; sibling controllers may be affected. 5. Add regression tests asserting that POST and PUT to /api/v1/evaluators rejects or ignores workspaceId, id, createdDate, and updatedDate fields in the request body.

Q: What systems are affected by GHSA-wxrr-jp8m-qq7f?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, model evaluation pipelines, multi-tenant AI platforms.

Q: What is the CVSS score for GHSA-wxrr-jp8m-qq7f?

No CVSS score has been assigned yet.

CISO Take

Flowise's Evaluator API copies the raw request body onto the entity via Object.assign without a field allowlist, allowing any authenticated workspace member to overwrite the workspaceId column and silently reassign evaluators to any other workspace in the instance. For multi-tenant Flowise deployments this fully breaks workspace isolation — scoring rubrics, evaluation configurations, and model output benchmarks from workspace B become accessible to the attacker's workspace A with no audit trail, and workspace B loses access to the resource without any visible error. Target workspace UUIDs are trivially enumerable from standard Flowise API responses, meaning the bar is any authenticated user with basic API knowledge and a PUT call. Upgrade to flowise@3.1.2 immediately (PR #6050 applies the field allowlist fix); if patching is blocked, restrict write access to /api/v1/evaluators at the reverse-proxy layer and query the evaluators table for rows with recently changed workspaceId values.

Sources: GitHub Advisory ATLAS

What is the risk?

High risk for any multi-tenant Flowise deployment. Exploitation requires only a valid authenticated session with evaluator write permission — no admin access, no second factor, no elevated privileges. The attack is deterministic once the attacker enumerates a target workspace UUID, which is exposed in routine API responses. The vulnerability pattern (Object.assign without allowlist) is repeated across sibling controllers in the same codebase and was previously exploited via DocumentStore, suggesting systemic under-patching. Single-tenant or air-gapped deployments face substantially reduced exposure but should still patch to prevent insider misuse.

Attack Kill Chain

Reconnaissance

Attacker calls GET /api/v1/workspaces or reads workspaceId fields from any cross-referenced object in routine API responses to enumerate target workspace UUIDs.

AML.T0006

Initial Access

Attacker authenticates to the Flowise instance as a legitimate workspace member with evaluator write permission using a valid session or JWT.

AML.T0012

Exploitation

Attacker sends PUT /api/v1/evaluators/<owned-id> with a JSON body containing workspaceId set to the target workspace UUID; Object.assign copies the field without validation and the ORM persists it.

AML.T0049

Impact

Evaluator row is silently reassigned to the target workspace; workspace isolation is broken, scoring rubrics and evaluation configurations are exposed to unauthorized workspace members with no audit trail.

AML.T0085

Reconnaissance

Attacker calls GET /api/v1/workspaces or reads workspaceId fields from any cross-referenced object in routine API responses to enumerate target workspace UUIDs.

AML.T0006

Initial Access

Attacker authenticates to the Flowise instance as a legitimate workspace member with evaluator write permission using a valid session or JWT.

AML.T0012

Exploitation

Attacker sends PUT /api/v1/evaluators/<owned-id> with a JSON body containing workspaceId set to the target workspace UUID; Object.assign copies the field without validation and the ORM persists it.

AML.T0049

Impact

Evaluator row is silently reassigned to the target workspace; workspace isolation is broken, scoring rubrics and evaluation configurations are exposed to unauthorized workspace members with no audit trail.

AML.T0085

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.1.1	`3.1.2`

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch: upgrade to flowise@3.1.2 which applies the explicit field allowlist pattern from PR #6050.
If immediate patching is blocked, block write access to /api/v1/evaluators at the network/reverse-proxy layer for all but trusted internal users.
Audit: query the evaluators table (SELECT id, workspaceId, updatedDate FROM evaluators ORDER BY updatedDate DESC) for rows where workspaceId changed without a corresponding legitimate owner action.
Expand audit: inspect all files matching packages/server/src/Interface.*.ts for the same Object.assign(entity, body) pattern — DocumentStore and Evaluator are confirmed instances; sibling controllers may be affected.
Add regression tests asserting that POST and PUT to /api/v1/evaluators rejects or ignores workspaceId, id, createdDate, and updatedDate fields in the request body.

Classification

Auth Bypass Data Leakage Data Extraction Agent Framework AML.T0006 - Active Scanning AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0085 - Data from AI Services

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.4 - Residual risks are monitored and tracked

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is GHSA-wxrr-jp8m-qq7f?

Flowise's Evaluator API copies the raw request body onto the entity via Object.assign without a field allowlist, allowing any authenticated workspace member to overwrite the workspaceId column and silently reassign evaluators to any other workspace in the instance. For multi-tenant Flowise deployments this fully breaks workspace isolation — scoring rubrics, evaluation configurations, and model output benchmarks from workspace B become accessible to the attacker's workspace A with no audit trail, and workspace B loses access to the resource without any visible error. Target workspace UUIDs are trivially enumerable from standard Flowise API responses, meaning the bar is any authenticated user with basic API knowledge and a PUT call. Upgrade to flowise@3.1.2 immediately (PR #6050 applies the field allowlist fix); if patching is blocked, restrict write access to /api/v1/evaluators at the reverse-proxy layer and query the evaluators table for rows with recently changed workspaceId values.

Is GHSA-wxrr-jp8m-qq7f actively exploited?

No confirmed active exploitation of GHSA-wxrr-jp8m-qq7f has been reported, but organizations should still patch proactively.

How to fix GHSA-wxrr-jp8m-qq7f?

1. Patch: upgrade to flowise@3.1.2 which applies the explicit field allowlist pattern from PR #6050. 2. If immediate patching is blocked, block write access to /api/v1/evaluators at the network/reverse-proxy layer for all but trusted internal users. 3. Audit: query the evaluators table (SELECT id, workspaceId, updatedDate FROM evaluators ORDER BY updatedDate DESC) for rows where workspaceId changed without a corresponding legitimate owner action. 4. Expand audit: inspect all files matching packages/server/src/Interface.*.ts for the same Object.assign(entity, body) pattern — DocumentStore and Evaluator are confirmed instances; sibling controllers may be affected. 5. Add regression tests asserting that POST and PUT to /api/v1/evaluators rejects or ignores workspaceId, id, createdDate, and updatedDate fields in the request body.

What systems are affected by GHSA-wxrr-jp8m-qq7f?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, model evaluation pipelines, multi-tenant AI platforms.

What is the CVSS score for GHSA-wxrr-jp8m-qq7f?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary **Type:** Mass assignment via `Object.assign(entity, body)` -> client-controlled `workspaceId` (and on create, `id`) overwritten on the Evaluator entity -> cross-workspace data takeover and IDOR. **File:** `packages/server/src/Interface.Evaluation.ts` **Root cause:** The Evaluator controller/service constructs a `new Evaluator()` and copies the request body into it via `Object.assign(...)` without an explicit field allowlist. The request body therefore can include `workspaceId`, `id`, `createdDate`, `updatedDate`. The server only rebinds *some* of these after the assign (e.g. on create, it overwrites `workspaceId` but not `id`; on update, it overwrites `id` but not `workspaceId`). The remaining client-controlled values land directly on the persisted row, breaking workspace isolation. Same root pattern as the evaluator entity's sibling controllers and as `DocumentStore` before it was patched in commit 840d2ae. ## Affected Code **File:** `packages/server/src/Interface.Evaluation.ts` ```ts // at line 85 Object.assign(newEvaluator, body) // <-- BUG: body.id, body.workspaceId, body.createdDate, body.updatedDate accepted ``` **Why it's wrong:** `Object.assign(target, source)` copies every own enumerable property of `source` onto `target`. The TypeORM/SQL persistence layer below it does not strip ownership-bearing columns, so `workspaceId` set in the request body lands as the new `workspaceId` of the persisted row. The DocumentStore patch (commit 840d2ae) demonstrated the intended fix shape (explicit field-by-field allowlist) but it has not been applied to this entity. ## Exploit Chain 1. Attacker is an authenticated member of workspace A. They have a session cookie / JWT for the Flowise web UI. State at this point: attacker can read and write entities scoped to workspace A. 2. Attacker creates a evaluator in workspace A via the documented API (or reuses an existing one they own). They note its entity `id`. 3. Attacker issues a `PUT /api/v1/evaluators/<id>` (or equivalent endpoint) with a JSON body that includes `"workspaceId": "<workspace-B-id>"` (an arbitrary other workspace's UUID). State at this point: the request reaches the controller as a workspace-A authenticated request. 4. The controller calls `Object.assign(updateEntity, body)`. The body's `workspaceId` overwrites the entity's `workspaceId` field. The persistence layer commits the row. 5. Final state: the evaluator row is now owned by workspace B. Workspace B members can see it, modify it, and use it. Workspace A loses access (it no longer satisfies their workspace filter). The original creator's workspace audit shows nothing because the operation looked like a normal update. ## Security Impact **Severity:** High. Cross-workspace boundary violation by any authenticated workspace member. **Attacker capability:** Any authenticated user with permission to update a evaluator can move it to any workspace whose UUID they can guess or enumerate (workspace UUIDs are exposed in many API responses, so enumeration is trivial). Evaluators score model outputs and can be moved into another workspace via `workspaceId` overwrite, making the evaluator (and its scoring rubric) appear there. **Preconditions:** Authenticated session with edit permission for the source evaluator. No second factor required. Workspace UUIDs are exposed via the `/api/v1/workspaces` listing or via any cross-referenced object's `workspaceId` field, so target enumeration is trivial. **Differential:** PoC-verified by source inspection of the original GHSA-q4pr-4r26-c69r. Patched build (with the suggested fix below) refuses the `workspaceId` field; vulnerable build accepts it and persists it. ## Suggested Fix Already fixed in PR https://github.com/FlowiseAI/Flowise/pull/6050 (allowlist pattern applied). ```ts // Allowlist pattern (matches commit 840d2ae for DocumentStore): const updatedEvaluator = new Evaluator() if (body.<allowed_field_1> !== undefined) updatedEvaluator.<allowed_field_1> = body.<allowed_field_1> if (body.<allowed_field_2> !== undefined) updatedEvaluator.<allowed_field_2> = body.<allowed_field_2> // ...whitelist only the documented fields. Never copy id, workspaceId, createdDate, updatedDate from the client. ``` Regression tests should assert that a request body containing `workspaceId`, `id`, `createdDate`, or `updatedDate` is rejected (or at minimum: does not change those columns on the persisted row) for both create and update paths.

Exploitation Scenario

A malicious insider or compromised account in workspace A retrieves target workspace UUIDs by calling GET /api/v1/workspaces or extracting workspaceId values from any cross-referenced object in API responses — no special permissions required. They then issue PUT /api/v1/evaluators/<owned-evaluator-id> with JSON body containing workspaceId set to workspace B's UUID. The Flowise controller calls Object.assign(updateEntity, body), the workspaceId field overwrites the entity, and the persistence layer commits it. Workspace B's members now see the evaluator in their dashboard and can access its scoring rubrics and model output benchmarks. Workspace A's evaluation pipeline silently breaks. The operation appears in access logs as a routine evaluator update, making detection dependent on database-level auditing which most Flowise deployments do not have configured.