7 matches found
Malicious code in nodepathbalance54 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5ade836e7f92049242a01dbc0782900900c4e28eb7e08f9d9ebc611aab80762 nodepathbalance54 exports a single function nodeaxionweb whose implementation is hidden inside a hand-rolled stack-based JavaScript VM in index.js...
MAL-2026-6141 Malicious code in clx-cookie-signature (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3 Package impersonates the popular cookie-signature library copying its README, author field 'TJ Holowaychuk ', and sign/unsign API, but index.js adds ...
CVE-2026-43995 Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axios instead of using the secured wrapper. These tools include 1 OpenAPIToolkit/OpenAPIToolkit.ts, 2...
CVE-2026-43995
Flowise is affected by an SSRF-related vulnerability in which multiple tools (OpenAPIToolkit.ts, WebScraperTool.ts, MCP/core.ts, Arxiv/core.ts) directly import raw HTTP clients (node-fetch, axios) instead of the centralized httpSecurity.ts wrapper. This bypass allows outbound requests to evade th...
FastGPT 代码问题漏洞
FastGPT is an open-source knowledge base question-answering system based on large language models developed by Labring. Versions of FastGPT prior to 4.14.17 contained code vulnerabilities. These vulnerabilities stemmed from the fetchData function in the lafModule workflow node, which used axios t...
PT-2026-39210
Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.14.17 Description An unauthenticated Server-Side Request Forgery SSRF allows attackers or authenticated users with App editing privileges to send arbitrary HTTP requests to internal or private network addresses. The...
Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
Summary Flowise introduced SSRF protections through a centralized HTTP security wrapper httpSecurity.ts that implements deny-list validation and IP pinning logic. However, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axiosInstead of using the secured...