ZDI-CAN-29412: FlowiseAI Flowise Airtable_Agent Code Injection Remote Code Execution Vulnerability

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise

-- VULNERABILITY DETAILS ------------------------

• Version tested: 3.0.13
• Installer file: hxxps://github.com/FlowiseAI/Flowise
• Platform tested: Ubuntu 25.10

---

Analysis

FlowiseAI Flowise Airtable Agent pythonCode Prompt Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.

Product information

FlowiseAI Flowise version 3.0.13 (https://github.com/FlowiseAI/Flowise)

Setup Instructions

npm install -g flowise@3.0.13 npx flowise start

Root Cause Analysis

FlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP.

One such feature of Flowise is the ability to create chatflows. Chatflows use a drag and drop editor that allow a developer to place nodes which control how an interaction with a LLM will occur. One such node is the Airtable Agent node that represents an Agent used to answer queries on a provided Airtable table.

When a user makes a query against a...