Flowise, a drag-and-drop UI for building customized large language model flows, contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in versions prior to 3.1.0. The vulnerability exists in the Custom Function feature where SSRF protection via HTTP_DENY_LIST is implemented for axios and node-fetch libraries, but built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources, including cloud provider metadata services. The vulnerability has been fixed in version 3.1.0.