Flowise Command Injection Vulnerability in MCP Adapter Allowing Remote Code Execution

A remote code execution vulnerability exists in Flowise versions prior to 3.1.0, due to unsafe handling of standard input/output commands in the Model Context Protocol (MCP) adapter. An authenticated attacker can exploit this by adding an MCP server with arbitrary commands, bypassing existing input validation. The vulnerability arises from inadequate sanitization in the 'Custom MCP' configuration, allowing execution of commands like 'npx' combined with code execution arguments. This issue is now patched in version 3.1.0.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server where Flowise is running, with the same privileges as the Flowise process. This could lead to a complete compromise of the system.

Reproduction

To reproduce this vulnerability, an authenticated user can create a new 'Custom MCP' in the Flowise application. While adding the MCP, the user can input any command into the 'stdio' configuration, despite the presence of some input validation checks. Once a command is injected, it is executed on the underlying operating system, allowing for arbitrary code execution.

Remediation

Users are advised to upgrade to Flowise version 3.1.0 or later, where this vulnerability has been fixed.