Description
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-29246
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Description:
Flowise, a drag-and-drop user interface for building customized large language model flows, is vulnerable to remote code execution (RCE) in version 3.0.5. The vulnerability arises from the CustomMCP node, which allows users to input configuration settings for connecting to an external MCP server. The user-provided mcpServerConfig string is parsed and executed as JavaScript code without proper security validation, specifically within the convertToValidJSONString function using the Function() constructor. This execution runs with full Node.js runtime privileges, enabling access to dangerous modules such as child_process and fs.
Severity Evaluation:
- Base Score: 10.0
- Base Score Version: 3.1
- Base Score Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The CVSS score of 10.0 indicates a critical vulnerability. The attack vector is network-based (AV:N), requires low complexity (AC:L), no privileges (PR:N), no user interaction (UI:N), and has a high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The scope change (S:C) indicates that the vulnerability affects components beyond the security scope of the vulnerable component.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Remote Code Execution (RCE): An attacker can craft a malicious
mcpServerConfigstring that, when processed by theconvertToValidJSONStringfunction, executes arbitrary JavaScript code. - Privilege Escalation: The executed code runs with full Node.js runtime privileges, allowing the attacker to access sensitive system resources and perform unauthorized actions.
Exploitation Methods:
- Direct Exploitation: An attacker can directly input a malicious configuration string through the CustomMCP node interface.
- Indirect Exploitation: An attacker can exploit this vulnerability through other interfaces or components that interact with the CustomMCP node, potentially through cross-site scripting (XSS) or other injection vectors.
3. Affected Systems and Software Versions
Affected Systems:
- Flowise version 3.0.5
Software Versions:
- All installations of Flowise version 3.0.5 are vulnerable.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade to Version 3.0.6: The vulnerability has been patched in version 3.0.6. Users should upgrade to this version immediately.
- Disable CustomMCP Node: If upgrading is not immediately possible, disable the CustomMCP node to prevent exploitation.
Long-Term Mitigation:
- Input Validation: Implement robust input validation and sanitization for all user-provided data.
- Least Privilege Principle: Ensure that code execution is restricted to the minimum necessary privileges.
- Regular Security Audits: Conduct regular security audits and code reviews to identify and mitigate similar vulnerabilities.
5. Impact on European Cybersecurity Landscape
Impact Analysis:
- Widespread Adoption: Flowise's widespread adoption in Europe for building large language model flows increases the potential impact of this vulnerability.
- Critical Infrastructure: Organizations using Flowise in critical infrastructure or sensitive applications are at high risk of data breaches, unauthorized access, and service disruptions.
- Compliance: Non-compliance with GDPR and other regulatory requirements due to data breaches resulting from this vulnerability.
Regulatory Implications:
- GDPR Compliance: Organizations must ensure that personal data is protected, and any breach resulting from this vulnerability could lead to significant fines and legal actions.
- Cybersecurity Directives: Compliance with EU cybersecurity directives and guidelines is essential to mitigate the risk associated with this vulnerability.
6. Technical Details for Security Professionals
Vulnerable Code Analysis:
- The
convertToValidJSONStringfunction in theCustomMCP.tsfile uses theFunction()constructor to evaluate user input, leading to RCE. - Example of vulnerable code:
function convertToValidJSONString(input) { return new Function('return ' + input)(); }
Patch Details:
- The patch in version 3.0.6 likely involves replacing the
Function()constructor with a secure parsing method, such asJSON.parse(), and implementing proper input validation. - Example of patched code:
function convertToValidJSONString(input) { try { return JSON.parse(input); } catch (e) { throw new Error('Invalid JSON string'); } }
References:
Conclusion: This critical vulnerability in Flowise version 3.0.5 underscores the importance of secure coding practices and regular security audits. Organizations must prioritize upgrading to the patched version and implementing robust security measures to protect against similar vulnerabilities in the future.