Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[flowise] Flowise Missing Authentication on NVIDIA NIM Endpoints
By GitHub2026๋
3์ 7์ผ
**[flowise] Flowise Missing Authentication on NVIDIA NIM Endpoints**
Missing Authentication on NVIDIA NIM Endpoints Summary The NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. Vulnerability Details Field Value CWE CWE-306: Missing Authentication for Critical Function Affected File packages/server/src/utils/constants.ts Affected Line Line 20 ('/api/v1/nvidia-nim' in WHITELIST_URLS) CVSS 3.1 8.6 (High) Root Cause In packages/server/src/utils/constants.ts, the NVIDIA NIM route is added to the authentication whitelist: export const WHITELIST_URLS = [ // ... other URLs '/api/v1/nvidia-nim', // Line 20 - bypasses JWT/API-key validation // ... ] This causes the global auth middleware to skip authentication checks for all endpoints under /api/v1/nvidia-nim/*. None of the controller actions in packages/server/src/controllers/nvidia-nim/index.ts perform their own authentication checks...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Missing Authentication on NVIDIA NIM Endpoints Summary The NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. Vulnerability Details Field Value CWE CWE-306: Missing Authentication for Critical Function Affected File packages/server/src/utils/constants.ts Affected Line Line 20 ('/api/v1/nvidia-nim' in WHITELIST_URLS) CVSS 3.1 8.6 (High) Root Cause In packages/server/src/utils/constants.ts, the NVIDIA NIM route is added to the authentication whitelist: export const WHITELIST_URLS = [ // ... other URLs '/api/v1/nvidia-nim', // Line 20 - bypasses JWT/API-key validation // ... ] This causes the global auth middleware to skip authentication checks for all endpoints under /api/v1/nvidia-nim/*. None of the controller actions in packages/server/src/controllers/nvidia-nim/index.ts perform their own authentication checks...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.