GHSA-9hrv-gvrv-6gf2: Flowise Execute Flow function has an SSRF vulnerability

April 16, 2026

The attacker provides an intranet address through the base url field configured in the Execute Flow node → Bypass checkDenyList / resolveAndValidate in httpSecurity.ts (not called) → Causes the server to initiate an HTTP request to any internal network address, read cloud metadata, or detect internal network services

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-9hrv-gvrv-6gf2
github.com/advisories/GHSA-9hrv-gvrv-6gf2

Code Behaviors & Features

Detect and mitigate GHSA-9hrv-gvrv-6gf2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →