Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 4
[flowise] Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
By GitHub2026๋
3์ 7์ผ
**[flowise] Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint**
Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields (id, createdDate, chatId) by including them in the request body. The endpoint uses Object.assign() to copy all properties from the request body to the Lead entity without any input validation or field filtering. This allows attackers to bypass auto-generated fields and inject arbitrary values. Field Value Vulnerability Type Mass Assignment CWE ID CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes Authentication Required None Affected Endpoint POST /api/v1/leads Details Root Cause The vulnerability exists in /packages/server/src/services/leads/index.ts at lines 27-28: // File: /packages/server/src/services/leads/index.ts // Lines 23-38 const createLead = async (body: Partial<ILead>) => { try { const chatId = body.chatId ?. uuidv4() const newLead = new Lead() Object.assign(newLead, body) // โ VULNERABILITY: All properties copied...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields (id, createdDate, chatId) by including them in the request body. The endpoint uses Object.assign() to copy all properties from the request body to the Lead entity without any input validation or field filtering. This allows attackers to bypass auto-generated fields and inject arbitrary values. Field Value Vulnerability Type Mass Assignment CWE ID CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes Authentication Required None Affected Endpoint POST /api/v1/leads Details Root Cause The vulnerability exists in /packages/server/src/services/leads/index.ts at lines 27-28: // File: /packages/server/src/services/leads/index.ts // Lines 23-38 const createLead = async (body: Partial<ILead>) => { try { const chatId = body.chatId ?. uuidv4() const newLead = new Lead() Object.assign(newLead, body) // โ VULNERABILITY: All properties copied...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.