Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.

N/A

服务端请求伪造(SSRF)

Flowise 代码问题漏洞

Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 3.1.0之前版本存在代码问题漏洞，该漏洞源于POST/GET API Chain组件中的SSRF漏洞，允许未经身份验证的攻击者强制服务器向内部和外部系统发起任意HTTP请求。

N/A

N/A