-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| flowise | npm | < 3.0.8 | 3.0.8 |
Miggo AIRoot Cause AnalysisThe vulnerability is a stored Cross-Site Scripting (XSS) issue within the FlowiseAI platform, identified as GHSA-964p-j4gg-mhwc. The root cause was the use of React's dangerouslySetInnerHTML property to render data that could be controlled by a user, without proper sanitization. This occurred in multiple UI components.
The investigation of the fixing commit 9a06a85a8ddcbaeca1342827a5fea9087a587d97 revealed that the developers addressed this by introducing a new SafeHTML component. This component utilizes the dompurify library to sanitize HTML content before it is rendered, effectively neutralizing the XSS threat. The patch systematically replaced direct calls to dangerouslySetInnerHTML with the new SafeHTML component across several files.
The identified vulnerable functions are the React components where this unsafe rendering occurred:
ViewMessagesDialog: Directly implicated by the vulnerability description, as it's used to view chat messages.ChatMessage: Renders individual chat messages and was a primary vector for the payload.NodeExecutionDetails: Rendered execution artifacts, which could also contain malicious HTML.JSONViewer: Used for displaying JSON data which could contain malicious strings that were rendered as HTML.An engineer with this CVE in their environment should understand that any part of the application that displays user-provided content through these components was a potential attack surface. During an exploit, the stack trace in a browser profiler would show one of these component names during the rendering phase, where the malicious script would be executed.
JavaScriptJavaScriptOngoing coverage of React2Shell