Platform
nodejs
Component
flowise-embed
Fixed in
2.1.1
2.0.0
CVE-2024-9148 is a critical Cross-Site Scripting (XSS) vulnerability affecting the flowise-embed Node.js package. This vulnerability arises from a lack of proper input sanitization within Flowise Chat Embed versions prior to 2.0.0, allowing attackers to inject malicious scripts. The vulnerability impacts versions of flowise-embed less than 2.1.1 and Flowise Chat Embed versions before 2.0.0. A fix is available in version 2.0.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code into the application, which will then be executed in the context of the user's browser. This can lead to a variety of malicious actions, including stealing sensitive user data like cookies and session tokens, redirecting users to phishing sites, or even defacing the application. Given the nature of Flowise Chat Embed, which is often used to integrate chat functionality into websites, the potential for widespread impact is high. Successful exploitation could compromise the entire website and its users’ data, similar to other high-profile XSS attacks that have resulted in significant data breaches and reputational damage.
This vulnerability was publicly disclosed on 2024-09-25. Currently, there is no indication of active exploitation campaigns targeting this specific vulnerability. While no public proof-of-concept (PoC) code has been widely released, the ease of exploitation inherent in XSS vulnerabilities means that it is likely to become a target for attackers. Monitor security advisories and threat intelligence feeds for any signs of exploitation.
Exploit Status
EPSS
1.93% (83% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-9148 is to upgrade to version 2.0.0 or later of Flowise Chat Embed and flowise-embed. If upgrading immediately is not feasible, consider implementing input validation and output encoding on all user-supplied data before rendering it in the application. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review and update any existing security policies to explicitly address XSS vulnerabilities and ensure developers are following secure coding practices. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the chat embed functionality and confirming that it is properly sanitized.
Update Flowise to version 2.1.1 or higher. This version contains the fix for the stored XSS vulnerability. Ensure you validate and sanitize all user inputs to prevent future attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9148 is a critical XSS vulnerability in the flowise-embed Node.js package, affecting versions less than 2.1.1 and Flowise Chat Embed versions before 2.0.0, due to insufficient input sanitization.
You are affected if you are using flowise-embed versions less than 2.1.1 or Flowise Chat Embed versions before 2.0.0 in your Node.js project.
Upgrade to version 2.0.0 or later of Flowise Chat Embed and flowise-embed. Implement input validation and output encoding as a temporary mitigation.
There is currently no confirmed active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the flowise-embed project's repository and related security advisories for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.