7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-hr92-4q35-4j3m

EPSS Score

CWE

CWE-918

Published

9/15/2025

Updated

9/15/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-hr92-4q35-4j3m

GHSA-hr92-4q35-4j3m: FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability

Summary

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The impact includes the potential exposure of sensitive internal administrative endpoints.

Details

Vulnerability Overview

The fetch-links feature in Flowise is designed to extract links from external websites or XML sitemaps. It performs an HTTP request from the server to the user-supplied URL and parses the response (HTML or XML) to extract and return links.

The issue arises because the feature performs these HTTP requests without validating the user-supplied URL. In particular, when the relativeLinksMethod parameter is set to webCrawl or xmlScrape, the server directly calls the fetch() function with the provided URL, making it vulnerable to SSRF attacks.

Root Cause

The fetch() function is called without URL validation or restriction, which enables attackers to redirect the server to internal services.

Taint Flow

• Taint 01: Route Registration

https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/fetch-links/index.ts#L6-L24

• Taint 02: Service

https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/fetch-links/index.ts#L8-L18

• Taint 03: xmlScrape

https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/src/utils.ts#L474-L478

PoC

PoC Description

This vulnerability was verified in a local development environment. The Flowise server was running at http://localhost:3000, and authentication was performed using the Bearer token:

tmY1fIjgqZ6-nWUuZ9G7VzDtlsOiSZlDZjFSxZrDd0Q

Upon a successful attack, the Flowise server returned the entire link structure of the internal admin panel in JSON format. The response included sensitive administrative URLs such as:

/api/users (User Management)
/api/secrets (API Keys)
/api/database (Database Config)

This demonstrated that an attacker could enumerate internal web service structures.

Internal Admin Server (Mock)

from flask import Flask, render_template_string

app = Flask(__name__)

@app.route('/')
def admin():
    return render_template_string("""
    <html>
    <h1>Internal Admin Panel</h1>
    <ul>
        <li><a href="/api/users">User Management</a></li>
        <li><a href="/api/secrets">API Keys</a></li>
        <li><a href="/api/database">Database Config</a></li>
        <li><a href="/api/logs">System Logs</a></li>
    </ul>
    """)

@app.route('/api/users')
def users():
    return render_template_string("""
    <html>
    <h1>Users</h1>
    <ul>
        <li><a href="/api/users/admin">admin (root)</a></li>
        <li><a href="/api/users/operator">operator</a></li>
    </ul>
    <a href="/">Back</a>
    """)

@app.route('/api/secrets')
def secrets():
    return render_template_string("""
    <html>
    <h1>Secrets</h1>
    <ul>
        <li><a href="/api/secrets/db_key">DB Key: sk-1234567890abcdef</a></li>
        <li><a href="/api/secrets/aws_key">AWS Key: AKIAIOSFODNN7EXAMPLE</a></li>
    </ul>
    <a href="/">Back</a>
    """)

if __name__ == '__main__':
    app.run(host='127.0.0.1', port=8080)

curl Request Example

curl -G 'http://localhost:3000/api/v1/fetch-links' \
     --data-urlencode 'url=http://127.0.0.1:8080/' \
     --data-urlencode 'relativeLinksMethod=webCrawl' \
     --data-urlencode 'limit=10' \
     -H 'Authorization: Bearer tmY1fIjgqZ6-nWUuZ9G7VzDtlsOiSZlDZjFSxZrDd0Q' \
     -s | jq '.'

Impact

This is a Server-Side Request Forgery (SSRF) vulnerability.

Who is impacted? Any user running Flowise server exposed to external traffic.
Risk: Attackers can leverage the Flowise server to:
- Explore internal web applications
- Bypass firewall rules
- Access sensitive administrative interfaces
- Leak internal configuration, credentials, or secrets

This vulnerability significantly increases the risk of internal service enumeration and potential lateral movement in an enterprise environment.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-hr92-4q35-4j3m

EPSS Score

CWE

CWE-918

Published

9/15/2025

Updated

9/15/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
flowise	npm	= 3.0.5	3.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability analysis identified a Server-Side Request Forgery (SSRF) issue in the /api/v1/fetch-links endpoint of the Flowise application. The root cause was the lack of URL validation when the server-side fetch API was used to retrieve content from user-provided URLs.

The investigation started by analyzing the provided vulnerability details, which pointed to specific code paths in the FlowiseAI/Flowise repository. By comparing the last vulnerable version (3.0.5) with the first patched version (3.0.6), I identified the fixing commit e002e617df6177cb603c8c569d224bce5fb96b33.

The commit's patch introduced two new security functions, secureFetch and checkDenyList, and applied them to the vulnerable code paths.

The analysis of the patch revealed three key functions involved in the vulnerability:

xmlScrape (packages/components/src/utils.ts): This function's direct use of fetch(currentURL) was replaced with secureFetch(currentURL), confirming it as a sink for the SSRF.
webCrawl (packages/components/src/utils.ts): This function, and the crawl helper it calls, also used an unrestricted fetch. The patch added a checkDenyList validation at the start of webCrawl and replaced fetch with secureFetch within the crawl function, indicating it was a primary vulnerable path.
getAllLinks (packages/server/src/services/fetch-links/index.ts): This service-layer function acts as the entry point for the vulnerable logic, taking the user's URL and dispatching it to either webCrawl or xmlScrape. The patch added a checkDenyList call here as a defense-in-depth measure.

These three functions would appear in a runtime profile or stack trace during an exploit. An attacker would send a request to the /api/v1/fetch-links endpoint, which would trigger the getAllLinks service, and subsequently either webCrawl or xmlScrape, causing the server to make a malicious request to an internal resource.

Vulnerable functions

webCrawl

packages/components/src/utils.ts

This function is responsible for crawling web pages. Before the patch, it did not validate the input URL, allowing an attacker to provide an internal or malicious URL. The function `crawl` called by `webCrawl` used the standard `fetch` API without restrictions, leading to a Server-Side Request Forgery (SSRF) vulnerability. The patch added the `checkDenyList` function to validate the URL before processing.

xmlScrape

packages/components/src/utils.ts

This function scrapes XML sitemaps from a given URL. It was vulnerable because it used the standard `fetch` API with the user-provided URL without any validation, making it susceptible to SSRF attacks. The patch replaced the insecure `fetch` call with a new `secureFetch` function that includes security checks.

getAllLinks

packages/server/src/services/fetch-links/index.ts

This service function orchestrates the link fetching process. It receives the raw URL from the controller and, prior to the patch, passed it to the vulnerable `webCrawl` or `xmlScrape` functions without validation. An attacker could exploit this to trigger the SSRF. The patch added a call to `checkDenyList` at the beginning of the function to validate the URL early in the process.

WAF Protection Rules

WAF Rule

### Summ*ry --- * S*rv*r-Si** R*qu*st *or**ry (SSR*) vuln*r**ility w*s *is*ov*r** in t** `/*pi/v*/**t**-links` *n*point o* t** *lowis* *ppli**tion. T*is vuln*r**ility *llows *n *tt**k*r to us* t** *lowis* s*rv*r *s * proxy to ****ss int*rn*l n*twork

Reasoning

T** vuln*r**ility *n*lysis i**nti*i** * S*rv*r-Si** R*qu*st *or**ry (SSR*) issu* in t** `/*pi/v*/**t**-links` *n*point o* t** *lowis* *ppli**tion. T** root **us* w*s t** l**k o* URL v*li**tion w**n t** s*rv*r-si** `**t**` *PI w*s us** to r*tri*v* *on

7.5

Basic Information

Concerned about an active attack path?

GHSA-hr92-4q35-4j3m: FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability

Summary

Details

Vulnerability Overview

Root Cause

Taint Flow

• Taint 01: Route Registration

• Taint 02: Service

• Taint 03: xmlScrape

PoC

PoC Description

Internal Admin Server (Mock)

curl Request Example

Impact

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI