{"id":47669,"date":"2026-04-09T15:02:11","date_gmt":"2026-04-09T08:02:11","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=47669"},"modified":"2026-04-16T15:05:31","modified_gmt":"2026-04-16T08:05:31","slug":"lo-hong-10-diem-nguy-hiem-trong-flowise-bi-khai-thac-hang-nghin-he-thong-hap-hoi","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/lo-hong-10-diem-nguy-hiem-trong-flowise-bi-khai-thac-hang-nghin-he-thong-hap-hoi\/","title":{"rendered":"L\u1ed7 h\u1ed5ng 10 \u0111i\u1ec3m nguy hi\u1ec3m trong Flowise b\u1ecb khai th\u00e1c, h\u00e0ng ngh\u00ecn h\u1ec7 th\u1ed1ng &#8220;h\u1ea5p h\u1ed1i&#8221;"},"content":{"rendered":"<div><b>M\u1ed9t l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng v\u1edbi \u0111i\u1ec3m CVSS t\u1ed1i \u0111a 10\/10 trong n\u1ec1n t\u1ea3ng AI m\u00e3 ngu\u1ed3n m\u1edf Flowise \u0111ang b\u1ecb khai th\u00e1c ngo\u00e0i th\u1ef1c t\u1ebf, \u0111\u1ea9y h\u00e0ng ngh\u00ecn h\u1ec7 th\u1ed1ng v\u00e0o t\u00ecnh tr\u1ea1ng b\u00e1o \u0111\u1ed9ng \u0111\u1ecf.<\/b><br \/>\n\u200b<\/div>\n<div>\n<div class=\"bbImageWrapper  js-lbImage\" title=\"1775631962969.png\" data-src=\"https:\/\/whitehat.vn\/attachments\/1775631962969-png.18796\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\"><img loading=\"lazy\" decoding=\"async\" class=\"bbImage\" title=\"1775631962969.png\" src=\"https:\/\/whitehat.vn\/attachments\/1775631962969-png.18796\/\" alt=\"1775631962969.png\" width=\"701\" height=\"383\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<p>\u200b<\/p><\/div>\n<div>\nL\u1ed7 h\u1ed5ng mang m\u00e3 CVE-2025-59528, thu\u1ed9c lo\u1ea1i ch\u00e8n m\u00e3 (code injection) d\u1eabn \u0111\u1ebfn th\u1ef1c thi m\u00e3 t\u1eeb xa. Nguy\u00ean nh\u00e2n n\u1eb1m \u1edf th\u00e0nh ph\u1ea7n CustomMCP node, n\u01a1i x\u1eed l\u00fd c\u1ea5u h\u00ecnh k\u1ebft n\u1ed1i t\u1edbi m\u00e1y ch\u1ee7 MCP. Trong qu\u00e1 tr\u00ecnh ph\u00e2n t\u00edch d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o, Flowise \u0111\u00e3 th\u1ef1c thi tr\u1ef1c ti\u1ebfp m\u00e3 JavaScript do ng\u01b0\u1eddi d\u00f9ng cung c\u1ea5p m\u00e0 kh\u00f4ng qua ki\u1ec3m tra, t\u1ea1o \u0111i\u1ec1u ki\u1ec7n cho k\u1ebb t\u1ea5n c\u00f4ng ch\u00e8n v\u00e0 ch\u1ea1y m\u00e3 \u0111\u1ed9c.<\/p>\n<p>Khi khai th\u00e1c th\u00e0nh c\u00f4ng, l\u1ed7 h\u1ed5ng cho ph\u00e9p:\u200b<\/p><\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div>Th\u1ef1c thi l\u1ec7nh h\u1ec7 \u0111i\u1ec1u h\u00e0nh th\u00f4ng qua module child_process\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>Truy c\u1eadp v\u00e0 thao t\u00e1c h\u1ec7 th\u1ed1ng t\u1ec7p qua fs\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>\u0110\u00e1nh c\u1eafp d\u1eef li\u1ec7u v\u00e0 chi\u1ebfm to\u00e0n quy\u1ec1n m\u00e1y ch\u1ee7\u200b<\/div>\n<\/li>\n<\/ul>\n<div>\u0110\u00e1ng ch\u00fa \u00fd, k\u1ebb t\u1ea5n c\u00f4ng ch\u1ec9 c\u1ea7n token API h\u1ee3p l\u1ec7 l\u00e0 c\u00f3 th\u1ec3 k\u00edch ho\u1ea1t khai th\u00e1c, khi\u1ebfn r\u1ee7i ro t\u0103ng cao khi th\u1ed1ng k\u00ea ghi nh\u1eadn hi\u1ec7n c\u00f3 h\u01a1n 12.000 phi\u00ean b\u1ea3n tri\u1ec3n khai Flowise \u0111ang ph\u01a1i nhi\u1ec5m Internet, t\u1ea1o b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng l\u1edbn cho c\u00e1c chi\u1ebfn d\u1ecbch d\u00f2 qu\u00e9t v\u00e0 khai th\u00e1c h\u00e0ng lo\u1ea1t.<\/p>\n<p>Theo b\u00e1o c\u00e1o c\u1ee7a VulnCheck, ho\u1ea1t \u0111\u1ed9ng khai th\u00e1c \u0111\u00e3 \u0111\u01b0\u1ee3c ghi nh\u1eadn v\u1edbi ngu\u1ed3n t\u1ea5n c\u00f4ng xu\u1ea5t ph\u00e1t t\u1eeb h\u1ea1 t\u1ea7ng Starlink. \u0110\u00e2y l\u00e0 l\u1ed7 h\u1ed5ng th\u1ee9 ba c\u1ee7a Flowise b\u1ecb khai th\u00e1c, sau CVE-2025-8943 v\u00e0 CVE-2025-26319.<\/p>\n<p>Chuy\u00ean gia WhiteHat nh\u1ea5n m\u1ea1nh m\u1ee9c \u0111\u1ed9 nghi\u00eam tr\u1ecdng c\u1ee7a v\u1ea5n \u0111\u1ec1:<\/p>\n<p>\u0110\u00e2y kh\u00f4ng c\u00f2n l\u00e0 l\u1ed7i c\u1ea5u h\u00ecnh \u0111\u01a1n l\u1ebb, m\u00e0 l\u00e0 l\u1ed7 h\u1ed5ng ch\u00e8n m\u00e3 \u1edf m\u1ee9c nguy hi\u1ec3m nh\u1ea5t trong c\u00e1c n\u1ec1n t\u1ea3ng A. Khi m\u00e3 JavaScript b\u1ecb th\u1ef1c thi tr\u1ef1c ti\u1ebfp tr\u00ean m\u00e1y ch\u1ee7, vi\u1ec7c m\u1ea5t quy\u1ec1n ki\u1ec3m so\u00e1t g\u1ea7n nh\u01b0 x\u1ea3y ra ngay l\u1eadp t\u1ee9c.<\/p>\n<p>B\u1ea3n v\u00e1 \u0111\u00e3 c\u00f3, nh\u01b0ng vi\u1ec7c ch\u1eadm c\u1eadp nh\u1eadt \u0111ang khi\u1ebfn h\u00e0ng ngh\u00ecn h\u1ec7 th\u1ed1ng tr\u1edf th\u00e0nh m\u1ee5c ti\u00eau s\u1eb5n c\u00f3. C\u1eadp nh\u1eadt ngay, thu h\u1eb9p b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng, ki\u1ec3m so\u00e1t truy c\u1eadp v\u00e0 r\u00e0 so\u00e1t log, n\u1ebfu kh\u00f4ng, vi\u1ec7c b\u1ecb chi\u1ebfm quy\u1ec1n ch\u1ec9 c\u00f2n l\u00e0 v\u1ea5n \u0111\u1ec1 th\u1eddi gian.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng v\u1edbi \u0111i\u1ec3m CVSS t\u1ed1i \u0111a 10\/10 trong n\u1ec1n t\u1ea3ng AI m\u00e3 ngu\u1ed3n m\u1edf Flowise \u0111ang b\u1ecb khai th\u00e1c ngo\u00e0i th\u1ef1c t\u1ebf, \u0111\u1ea9y h\u00e0ng ngh\u00ecn h\u1ec7 th\u1ed1ng v\u00e0o t\u00ecnh tr\u1ea1ng b\u00e1o \u0111\u1ed9ng \u0111\u1ecf. \u200b \u200b L\u1ed7 h\u1ed5ng mang m\u00e3 CVE-2025-59528, thu\u1ed9c lo\u1ea1i ch\u00e8n m\u00e3 (code injection) d\u1eabn \u0111\u1ebfn th\u1ef1c thi m\u00e3 [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":47670,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[3,24,35],"tags":[],"class_list":["post-47669","post","type-post","status-publish","format-standard","has-post-thumbnail","category-canh-bao-khuyen-nghi","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=47669"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47669\/revisions"}],"predecessor-version":[{"id":47671,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47669\/revisions\/47671"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/47670"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=47669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=47669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=47669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}