7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36421

GHSA ID

GHSA-66f2-xxgm-f6xp

EPSS Score

0.16092%

CWE

CWE-346

Published

8/5/2024

Updated

8/5/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-36421

CVE-2024-36421: Flowise Cors Misconfiguration in packages/server/src/index.ts

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36421

GHSA ID

GHSA-66f2-xxgm-f6xp

EPSS Score

0.16092%

CWE

CWE-346

Published

8/5/2024

Updated

8/5/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
flowise	npm	<= 1.4.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The CORS misconfiguration vulnerability arises from the improper use of the cors middleware in the index.ts file. The middleware is used without configuring it to restrict origins, thus allowing all origins. This directly relates to the 'cors' function or method being used in the code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*lowis* is * *r** & *rop us*r int*r**** to *uil* * *ustomiz** l*r** l*n*u*** mo**l *low. In v*rsion *.*.* o* *lowis*, * *ORS mis*on*i*ur*tion s*ts t** ****ss-*ontrol-*llow-Ori*in *****r to *ll, *llowin* *r*itr*ry ori*ins to *onn**t to t** w**sit*. In

Reasoning

T** *ORS mis*on*i*ur*tion vuln*r**ility *ris*s *rom t** improp*r us* o* t** `*ors` mi**l*w*r* in t** `in**x.ts` *il*. T** mi**l*w*r* is us** wit*out *on*i*urin* it to r*stri*t ori*ins, t*us *llowin* *ll ori*ins. T*is *ir**tly r*l*t*s to t** `'*ors'`

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-36421: Flowise Cors Misconfiguration in packages/server/src/index.ts

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI