GHSA-6933-jpx5-q87q: Flowise has unsandboxed remote code execution via Custom MCP
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise’s inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, the default installation of Flowise operates without authentication unless explicitly configured using the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables.
This combination presents a significant security risk, potentially allowing users on the platform to execute unsandboxed system commands. This can result in Remote Code Execution (RCE) and complete compromise of the running platform container or server.
References
- github.com/FlowiseAI/Flowise
- github.com/FlowiseAI/Flowise/commit/ac7cf30e019cde54905bf09b5d3fe1c6ba42f9b9
- github.com/FlowiseAI/Flowise/pull/5201
- github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-6933-jpx5-q87q
- github.com/advisories/GHSA-6933-jpx5-q87q
Code Behaviors & Features
Detect and mitigate GHSA-6933-jpx5-q87q with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →