Описание
User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.
EPSS
Процентиль: 2%
0.00015
Низкий
9.8 Critical
CVSS3
Дефекты
CWE-94
Связанные уязвимости
CVSS3: 9.8
github
4 месяца назад
Flowise vulnerable to RCE via Dynamic function constructor injection
EPSS
Процентиль: 2%
0.00015
Низкий
9.8 Critical
CVSS3
Дефекты
CWE-94