Flowise Remote Code Execution Vulnerability via Unsafe Dynamic Function Constructor
Vulnerability
A remote code execution vulnerability has been identified in Flowise. This issue arises from user-controlled input being improperly handled by a dynamic Function constructor, which allows network attackers to execute arbitrary, unsandboxed JavaScript code in the host's context. The vulnerability can be exploited by sending a simple POST request, and depending on the Flowise version, it may lead to unauthenticated or authenticated remote code execution.
Impact
Exploitation of this vulnerability allows for remote code execution on the host machine, with the executed code running in an unsandboxed environment.
Reproduction
To reproduce this vulnerability, send a POST request to the 'node-load-method/customMCP' API endpoint. Include a payload that specifies a command to be executed, such as one that creates a file in the '/tmp' directory. The command will be executed on the server, demonstrating the remote code execution capability of the vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.