Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secu…

Flowise, a drag & drop UI for building customized large language model flows, contains Server-Side Request Forgery (SSRF) vulnerabilities in versions prior to 3.1.0. The security flaws exist in core security wrappers (secureAxiosRequest and secureFetch) that are designed to prevent SSRF attacks. Attackers can bypass allow/deny lists through DNS Rebinding attacks (Time-of-Check Time-of-Use) or by exploiting default configurations that fail to enforce deny lists. The vulnerability has been patched in version 3.1.0.