Feature: Memory Poisoning (ASI06) Protection for AI Agent Nodes — OWASP Reference

[vgudur-dev]

Memory Poisoning (ASI06) in Flowise AI Agent Flows

Flowise is increasingly used to build production AI agent workflows where agents read from external sources (web scraping, email parsing, document ingestion) and write results into memory or pass them to downstream nodes.

This creates a critical attack surface known as ASI06 — Memory Poisoning, defined in the OWASP Top 10 for Agentic Applications 2025.

The attack: A malicious payload embedded in an external source (e.g., a webpage, email, or document) is processed by a Flowise agent and written into the flow's memory. Downstream nodes then execute based on the poisoned memory, leading to data exfiltration or full workflow compromise.

OWASP Agent Memory Guard

The OWASP Agent Memory Guard project provides a lightweight Python reference implementation of a scan-before-write pattern that addresses this exact threat:

from agent_memory_guard import MemoryGuard, GuardPolicy

guard = MemoryGuard(policy=GuardPolicy.BLOCK)
result = guard.scan(external_content)
if result.is_safe:
    agent_memory.write(result.sanitized_content)

It is already being discussed and adopted by maintainers of LangGraph, LiteLLM, AutoGen, and other major frameworks.

Would the Flowise team be open to:

1. Adding a reference to this pattern in the Flowise security docs
2. Optionally integrating a memory validation step in the AI Agent node pipeline

Happy to provide more technical detail or a prototype integration.