Critical RCE Flaws Found in Flowise AI Platform, Allowing Remote Code Execution

Security researchers at JFrog Security Research have uncovered two critical vulnerabilities in Flowise, an open-source generative AI development platform used to build AI agents and LLM workflows. Both flaws — CVE-2025-8943 and CVE-2025-55346 — carry a CVSS score of 9.8, allowing remote code execution (RCE) with minimal to no authentication barriers.

CVE-2025-8943 — OS Command Injection

The first vulnerability arises from Flowise’s Custom MCPs feature, which is designed to execute OS commands for tasks like spinning up local MCP Servers with tools such as npx. However, the platform’s authentication and authorization model is minimal and, in some versions, default installations run without authentication unless explicitly configured.

As the advisory explains, “This combination allows either unauthenticated or authenticated users to execute unsandboxed OS commands.” Attackers can exploit this by sending a crafted payload to the node-load-method/customMCP API endpoint, such as:

{
    "inputs":
    {
        "mcpServerConfig":
        {
            "command": "touch",
            "args":
            [
                "/tmp/yofitofi"
            ]
        }
    },
    "loadMethod": "listActions"
}

CVE-2025-55346 — JavaScript Injection

The second flaw stems from unintended dynamic code execution due to unsafe usage of JavaScript’s Function constructor. By manipulating user-controlled input, attackers can inject arbitrary JavaScript, which executes in the host’s context without sandboxing.

The researchers warn, “Depending on the version of Flowise this could lead to either unauthenticated or authenticated remote code execution.” An example proof-of-concept request executes system commands directly via Node.js:

{
    "inputs":
    {
        "mcpServerConfig": "(global.process.mainModule.require('child_process').execSync('touch /tmp/foo'))"
    },
    "loadMethod": "listActions"
}

Both vulnerabilities open the door to full system compromise, enabling attackers to install malware, exfiltrate data, or pivot deeper into network infrastructure. The fact that either unauthenticated or minimally authenticated attackers can exploit these flaws drastically increases the risk for exposed deployments.

Administrators should:

• Update Flowise to the latest patched version immediately.
• Enable authentication and implement role-based access controls (RBAC) to restrict access to the Custom MCPs feature.
• Isolate Flowise instances from untrusted networks.
• Monitor for suspicious API calls, particularly to node-load-method/customMCP.

Related Posts:

• CVE-2025-26319 (CVSS 9.8): Flowise Open-Source Platform Vulnerable to File Upload Exploit, No Patch
• North Korean APT’s Stealth Attack on Open-Source Ecosystems
• Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems Awaiting Full Disclosure

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.