-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a classic stored Cross-Site Scripting (XSS) issue within the Flowise application. The root cause is the insecure handling of data displayed in the user interface, specifically in components that render chat messages, logs, and execution details. The analysis of the patch commit c6c135535caad37a81acdd484e9390e152d4d74c reveals that several React components (ViewMessagesDialog, NodeExecutionDetails, ChatMessage, and JSONViewer) were using dangerouslySetInnerHTML to render data. This function, as its name implies, is dangerous if the content being rendered is not properly sanitized, as it allows for the injection and execution of arbitrary HTML and JavaScript.
An attacker could craft a malicious payload (e.g., <img src=x onerror=alert(document.cookie)>) and send it as a chat message. This payload would be stored on the server. When an administrator or another user views the chat history or related logs, the vulnerable components would render the malicious payload, causing the script to execute in the victim's browser. This could lead to session hijacking, data theft, or further attacks.
The fix implemented in the patch addresses this vulnerability by introducing a new SafeHTML component. This component utilizes the dompurify library to sanitize any HTML content before it is rendered. By replacing all instances of direct dangerouslySetInnerHTML usage with the new SafeHTML component, the application ensures that any potentially malicious content is stripped out, mitigating the XSS risk.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| flowise | npm | < 3.0.5 | 3.0.5 |
JavaScriptJavaScriptOngoing coverage of React2Shell