CVE-2025-8943
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
Analysis
Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS commands. The combination of no default authentication and the ability to spawn local processes via tools like npx enables unauthenticated remote code execution on any Flowise installation.
Technical Context
Flowise's Custom MCPs feature allows configuring external MCP (Model Context Protocol) servers using commands like npx. This feature is inherently capable of executing OS commands. Prior to version 3.0.1, Flowise operates without authentication by default and lacks RBAC. Any unauthenticated user can create Custom MCP configurations that execute arbitrary commands on the server.
Affected Products
['Flowise < 3.0.1']
Remediation
Update to Flowise 3.0.1 or later. Enable authentication immediately on all Flowise instances. Run Flowise behind a reverse proxy with authentication. Deploy in containers with restricted network and filesystem access. Never expose Flowise directly to the internet.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today