Enviar #777662: FlowiseAI Flowise <= 3.0.12 Server-Side Request Forgery (CWE-918)información

TítuloFlowiseAI Flowise <= 3.0.12 Server-Side Request Forgery (CWE-918)
Descripción# Technical Details A Server-Side Request Forgery (SSRF) vulnerability exists in the Custom MCP component's SSE/StreamableHTTP transport path in `packages/components/nodes/tools/MCP/core.ts` of FlowiseAI Flowise. The validateMCPServerConfig() function validates command, args, and env fields but completely ignores the url field. When a user provides an MCP config with only a url (no command), the SSE/StreamableHTTP transport is selected and the server makes HTTP requests to the user-supplied URL using raw fetch() via @modelcontextprotocol/sdk — bypassing HTTP_DENY_LIST and all SSRF protections. This is separate from the API Document Loader SSRF (which uses raw axios). # Vulnerable Code File: packages/components/nodes/tools/MCP/core.ts (lines 262-285, 49-65) Method: validateMCPServerConfig() and MCPToolkit.createClient() Why: validateMCPServerConfig() has no validation for serverParams.url or serverParams.headers. When command is undefined, CustomMCP.getTools() selects SSE transport and MCPToolkit.createClient() creates StreamableHTTPClientTransport or SSEClientTransport with the user-controlled URL, using raw fetch() with no deny-list check. # Reproduction 1. Deploy Flowise with deny list: docker run -d -e HTTP_DENY_LIST="x.x.x.x/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8" -p 3001:3000 flowiseai/flowise:latest 2. Authenticate and get JWT. 3. Trigger SSRF: POST /api/v1/node-load-method/customMCP with {"loadMethod":"listActions","inputs":{"mcpServerConfig":"{\"url\":\"http://172.17.0.1:9998/ssrf\"}"}} 4. Listener receives POST with MCP JSON-RPC initialization payload, proving fetch() was invoked to internal IP despite deny list. # Impact - Access cloud metadata endpoints (AWS IAM credentials). - Scan internal networks, bypass network segmentation. - Server IP disclosure via attacker-controlled URL.
Fuente⚠️ https://gist.github.com/YLChen-007/a6be3a134ff338ee0f1bb8d79a7826d0
Usuario
 Eric-a (UID 96353)
Sumisión2026-03-11 15:09 (hace 3 meses)
Moderación2026-05-06 09:41 (2 months later)
EstadoAceptado
Entrada de VulDB361278 [FlowiseAI Flowise hasta 3.0.12 Custom MCP validateMCPServerConfig escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Want to know what is going to be exploited?

We predict KEV entries!