External risk intelligence

Flowise Remote Code Execution via Insecure Configuration Injection

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2024-58351

Flowise is a tool commonly deployed as a web application or backend API service to manage AI workflows. These components are frequently exposed as internet-facing services to facilitate user interaction and integration with other web applications, making the Prediction API and frontend integration typically reachable from the network.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Flowise, a platform for building and managing AI applications. The issue allows for unauthorized code execution and data exfiltration by exploiting a configuration injection flaw within its execution environment. The primary concern is confirming if this technology is in use and assessing potential exposure.

Configuration flaw allows unauthorized code execution.
Matters if Flowise is used for AI application workflows.
Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit a vulnerability in Flowise by leveraging its configuration override feature. This feature, enabled by default and relying on a sandboxing library, can be manipulated through either the web interface or the Prediction API to execute arbitrary code on the server. The attack can lead to serious consequences like remote code execution, data exfiltration, and denial of service.

Entry Condition: No authentication or user interaction needed.
Trigger Point: Injecting malicious configuration via overrideConfig.
Resulting Risk: Remote code execution and server compromise.

Live Threat

Current exploitation, exposure, and threat context

Configuration data in Flowise could be compromised, potentially leading to unauthorized actions when the overrideConfig option is used via the frontend or backend API. This issue is self-targeted and does not affect other users.

Server configuration data.
Via overrideConfig parameter.
Remote code execution, DoS, SSRF.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for Flowise deployments, likely application owners or platform teams, should first identify all instances of the affected technology. Confirming reachability and business criticality for each instance will help prioritize remediation efforts, engaging the appropriate accountable owner and vendor-management if necessary to plan a coordinated response based on identified risk.

Identify accountable Flowise owners.
Verify external reachability and criticality.
Plan risk-based remediation with vendors.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Flowise?

Flowise is a platform used to build and manage AI application workflows. It provides a drag-and-drop interface and a Prediction API that allows developers to integrate AI capabilities into larger software systems. Because it serves as an engine for automation, it often acts as a central hub for processing data and executing logic within an organization's AI infrastructure.

What does CWE-94 mean for CVE-2024-58351?

CWE-94 refers to improper control of generation of code, often called code injection. In the context of CVE-2024-58351, this means the software incorrectly handles user-supplied input. By manipulating a specific configuration setting, an attacker can trick the system into executing their own commands on the server. This bypasses security boundaries intended to isolate the application's internal processes.

How is this Flowise vulnerability triggered?

An attacker triggers the vulnerability by sending a malicious request through the frontend or the backend Prediction API using the 'overrideConfig' parameter. No prior authentication or special user interaction is required for this to work. Importantly, this is not a broad network-scanning bug; it requires specifically targeting the configuration injection point to manipulate the server's execution environment.

Is my Flowise instance at risk?

According to Halo Surface Signal, instances that are internet-facing are at higher risk because they are reachable from the network. Since this feature is enabled by default in affected versions, any deployment exposing the Prediction API or web interface to the public is potentially accessible to unauthorized actors. Internal-only instances have a smaller reach but should still be reviewed.

What should I do if I use Flowise?

Your first step is to locate all active deployments of Flowise within your environment and confirm their current version. Since this is a critical issue involving code execution, verify if your instances are accessible over the internet or restricted to private networks. Consult the official vendor security guidance to apply the necessary updates or configuration changes to secure your specific deployment.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.