Flowise, Server-Side Request Forgery (SSRF), CVE-2024-55001 (Critical)

Listen to this Post

The vulnerability exists within the `/api/v1/fetch-links` endpoint. When the `relativeLinksMethod` parameter is set to `webCrawl` or xmlScrape, the server passes a user-supplied URL directly to the `fetch()` function without any validation. This lack of sanitization allows an attacker to provide a URL pointing to an internal, non-public service. The Flowise server then makes an HTTP request to this specified internal address, acting as an unintended proxy. The server fetches the content from the internal endpoint, parses it for links, and returns the extracted link structure in a JSON response to the attacker. This mechanism enables the enumeration of internal networks and services that are otherwise protected from external access.
Platform: Flowise
Version: <=1.6.4
Vulnerability: SSRF
Severity: Critical

date: 2024-10-22

Prediction: Patch 2024-11-05

What Undercode Say:

curl -G 'http://target:3000/api/v1/fetch-links' --data-urlencode 'url=http://127.0.0.1:8080/' --data-urlencode 'relativeLinksMethod=webCrawl' -H 'Authorization: Bearer [bash]'
// Taint Source: packages/server/src/controllers/fetch-links/index.ts
export const fetchLinks: IController = async (req: Request, res: Response, next: NextFunction) => {
try {
const { url, relativeLinksMethod, limit } = req.body
const result = await fetchLinksService({ url, relativeLinksMethod, limit })
res.json(result)
} catch (error) {
next(error)
}
}

How Exploit:

Craft HTTP request to `/api/v1/fetch-links` with `relativeLinksMethod=webCrawl` and `url` parameter targeting internal IPs (e.g., `http://192.168.1.1/admin`). The server retrieves the internal page, parses its HTML/XML, and returns all discovered hyperlinks, enabling internal network mapping.

Protection from this CVE:

Input validation.

Allowlist domains.

Network segmentation.

Impact:

Internal service discovery.

Sensitive data exposure.

Lateral movement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top