GHSA-hr92-4q35-4j3m: 
Flowise vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-59527) was discovered in Flowise version 3.0.5, specifically in the /api/v1/fetch-links endpoint. Flowise is a drag & drop user interface designed for building customized large language model flows. The vulnerability was discovered and disclosed on September 13, 2025, and affects version 3.0.5 of the Flowise application (GitHub Advisory).

The vulnerability exists in the fetch-links feature, which is designed to extract links from external websites or XML sitemaps. The issue occurs when the relativeLinksMethod parameter is set to webCrawl or xmlScrape, as the server directly calls the fetch() function with the provided URL without proper validation. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low complexity, no privileges required, and high confidentiality impact (GitHub Advisory).

The vulnerability allows attackers to use the Flowise server as a proxy to access internal network web services and explore their link structures. The impact includes potential exposure of sensitive internal administrative endpoints, ability to explore internal web applications, bypass firewall rules, access sensitive administrative interfaces, and leak internal configuration, credentials, or secrets. This significantly increases the risk of internal service enumeration and potential lateral movement in an enterprise environment (GitHub Advisory).

The vulnerability has been patched in Flowise version 3.0.6. Users are advised to upgrade to this version to mitigate the SSRF vulnerability (GitHub Release).