CVE-2024-31621: 
JavaScript vulnerability analysis and mitigation

An authentication bypass vulnerability was discovered in FlowiseAI Inc Flowise versions 1.6.2 and earlier, tracked as CVE-2024-31621. The vulnerability allows remote attackers to execute arbitrary code via a crafted script to the api/v1 component. The issue was disclosed in April 2024 and affects the Flowise low-code LLM application builder platform (NVD, Dark Reading).

The vulnerability stems from improper case sensitivity checking in the authentication middleware. The code only checks for lowercase '/api/v1' in URL paths, allowing attackers to bypass authentication by modifying the endpoint case to uppercase like '/API/V1'. The vulnerability received a CVSS v3.1 Base Score of 7.6 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L. The issue is classified as CWE-94: Improper Control of Generation of Code (Code Injection) (Exploit DB).

The vulnerability exposes sensitive information including GitHub access tokens, OpenAI API keys, Flowise passwords in plaintext, database configurations, and prompts associated with Flowise applications. This exposure could lead to unauthorized access to private repositories, vector databases, and other integrated services containing confidential data (Dark Reading).

Organizations using Flowise should upgrade to versions newer than 1.6.2 to address this vulnerability. For those unable to upgrade immediately, implementing proper URL case sensitivity checking and strengthening authentication middleware controls are recommended (Security Online).

Security researchers have highlighted this vulnerability as part of a broader concern regarding the security of publicly accessible GenAI development services. The discovery has raised awareness about the importance of proper security measures in AI tool deployments, particularly for vector databases and LLM automation tools (Security Online).