CVE-2024-37145

Name of the Vulnerable Software and Affected Versions Flowise version 1.4.3

Description A reflected cross-site scripting issue occurs in the "/api/v1/chatflows-streaming/id" endpoint of Flowise. This allows an attacker to craft a specially crafted URL that injects Javascript into user sessions, potentially stealing information, creating false popups, or redirecting users to other websites. If the chatflow ID is not found, its value is reflected in the 404 page, enabling an attacker to attach arbitrary scripts and steal sensitive information. This issue may be chained with path injection to read arbitrary files from the Flowise server.

Recommendations For version 1.4.3, as a temporary workaround, consider disabling access to the "/api/v1/chatflows-streaming/id" endpoint until a patch is available. Restrict access to unauthenticated configurations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.