Flowise Authentication Bypass (CVE-2024-31621)
Description
Flowise versions prior to 1.6.6 contain an authentication bypass vulnerability that allows attackers to circumvent authentication controls using specially crafted HTTP requests. This critical flaw enables unauthorized access to administrative endpoints without requiring valid credentials, effectively granting attackers full administrative privileges over the Flowise instance.
Remediation
Immediately upgrade Flowise to version 1.6.6 or later, which addresses this authentication bypass vulnerability. Follow these steps:
1. Backup your current Flowise configuration and data
2. Update Flowise using your package manager (npm/yarn):
npm install -g flowise@latestor
yarn global add flowise@latest
3. Restart the Flowise service to apply changes
4. Verify the updated version by checking the application footer or running:
flowise --version
5. Review access logs for any suspicious administrative activity prior to the upgrade
6. Rotate all API keys and credentials stored within Flowise as a precautionary measure
If immediate patching is not possible, implement network-level access controls to restrict Flowise administrative endpoints to trusted IP addresses only, and avoid exposing the application directly to the internet.