CNNVD-202509-3233 Information
CNNVD ID
CNNVD-202509-3233
Related CVE
- CNNVD Published: 2025-09-22
Description (Chinese)
Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 3.0.5版本存在代码问题漏洞,该漏洞源于/api/v1/fetch-links端点存在服务端请求伪造,可能导致攻击者将服务器用作代理访问内部网络服务。
Description (English)
Flowise is an open-source tool for easy construction of LLM applications. Flowise version 3.5 has a code problem loophole, which stems from the existence of a service-end request for forgery at/api/v1/fetch-links, which may lead to the attackers using the server as proxy access to internal network services.
Hazard Level
Medium
Vulnerability Type
代码问题
Affected Vendor
Flute
Published
2025-09-22
Last Modified
2026-02-24
References
https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/fetch-links/index.ts#L8-L18 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/src/utils.ts#L474-L478 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/fetch-links/index.ts#L6-L24 https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6 https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hr92-4q35-4j3m https://access.redhat.com/security/cve/cve-2025-59527
Patch
https://github.com/FlowiseAI/Flowise/releases
Share on: