Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-58351

CVE-2024-58351: Flowise RCE Vulnerability

CVE-2024-58351 is a remote code execution flaw in Flowise before version 2.1.4 that enables attackers to inject malicious configuration and escape sandboxes. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-58351 Overview

CVE-2024-58351 is a code injection vulnerability in Flowise versions before 2.1.4. The flaw resides in the overrideConfig option, which is exposed through both the frontend web integration and the backend Prediction API. Flowise enables this feature by default and does not enforce an allow-list of permitted variables. The application relies on vm2 for sandboxing, which has known escape techniques. Attackers can abuse overrideConfig to inject arbitrary configuration into a Chainflow during execution. The issue maps to CWE-94: Improper Control of Generation of Code.

Critical Impact

Attackers can achieve remote code execution, sandbox escape, server-side request forgery, denial of service, prompt injection, and data exfiltration against their own session. The issues are self-targeted and do not persist to other users.

Affected Products

  • Flowise versions prior to 2.1.4
  • Flowise frontend web integration with overrideConfig enabled
  • Flowise backend Prediction API with overrideConfig enabled

Discovery Timeline

  • 2026-06-20 - CVE-2024-58351 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2024-58351

Vulnerability Analysis

Flowise is a low-code platform for building large language model (LLM) workflows known as Chainflows. The Prediction API and the embeddable web integration accept an overrideConfig object that lets callers redefine node parameters at runtime. The platform enables this feature by default and does not constrain which variables a caller can override. As a result, an attacker controlling a single prediction request can replace configuration values that are later evaluated by the vm2 sandbox.

Root Cause

The root cause is a missing allow-list combined with reliance on vm2 for isolation. vm2 has documented sandbox escape techniques that allow attacker-controlled JavaScript to break out into the host Node.js process. Because Flowise passes untrusted overrideConfig values into code paths that compile and execute JavaScript, an attacker can inject payloads that escape the sandbox and execute arbitrary code under the Flowise service account.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted Prediction API request, or interacts with an embedded Flowise widget, supplying a malicious overrideConfig payload. The payload can execute shell commands on the host, trigger outbound HTTP requests for SSRF, crash the Node.js process for denial of service, manipulate prompts sent to the underlying LLM, or read environment variables and server-side data. Because the abuse occurs within the attacker's own session, the impact is limited to the attacker's interaction with the server rather than other users.

No verified public exploit code is referenced in the advisory. See the VulnCheck Advisory for Remote Code Execution and the GitHub Security Advisory for technical analysis.

Detection Methods for CVE-2024-58351

Indicators of Compromise

  • HTTP requests to /api/v1/prediction/* endpoints containing an overrideConfig field with JavaScript syntax, template literals, or references to process, require, child_process, or constructor.
  • Flowise Node.js processes spawning unexpected child processes such as sh, bash, curl, or wget.
  • Outbound network connections from the Flowise host to attacker-controlled or internal metadata endpoints such as 169.254.169.254.
  • Unexpected reads of environment variables, API keys, or .env files by the Flowise process.

Detection Strategies

  • Inspect Prediction API request bodies for overrideConfig keys containing serialized functions, prototype chain references, or vm2 escape patterns.
  • Correlate Flowise process telemetry with new child process creation events and outbound connections originating from the application's runtime.
  • Baseline normal Chainflow execution behavior and alert on deviations such as filesystem access outside of expected directories.

Monitoring Recommendations

  • Enable verbose logging on the Flowise Prediction API and forward logs to a centralized SIEM for retention and search.
  • Monitor CPU, memory, and process crash counts on Flowise hosts to detect denial-of-service attempts.
  • Track DNS resolutions and egress traffic from Flowise containers, alerting on connections to unapproved destinations.

How to Mitigate CVE-2024-58351

Immediate Actions Required

  • Upgrade Flowise to version 2.1.4 or later, which addresses the overrideConfig injection issue.
  • Restrict network exposure of the Flowise Prediction API to trusted internal clients using a reverse proxy or firewall.
  • Rotate any credentials, API keys, and secrets that were available in the Flowise process environment prior to patching.
  • Audit Chainflow definitions for nodes that accept user-controlled input and review recent prediction logs for abuse.

Patch Information

FlowiseAI released a fix in version 2.1.4. The patched version introduces controls over which configuration variables can be overridden through the overrideConfig mechanism. Review the GitHub Security Advisory GHSA-5cph-wvm9-45gj for the full list of remediated behaviors and configuration changes.

Workarounds

  • Disable the overrideConfig feature in deployments where it is not required for production use.
  • Place Flowise behind an authenticated reverse proxy and require strong authentication for all Prediction API calls.
  • Run Flowise as a non-privileged user inside a hardened container with read-only filesystems and restricted egress.
  • Strip or validate the overrideConfig parameter at an API gateway before requests reach the Flowise backend.
bash
# Upgrade Flowise to the patched version
npm install -g flowise@2.1.4

# Verify installed version
flowise --version

# Example: block overrideConfig at an NGINX reverse proxy
# location /api/v1/prediction/ {
#     if ($request_body ~* "overrideConfig") { return 403; }
#     proxy_pass http://flowise_upstream;
# }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.