CVE-2025-8943
published 2025-08-14CVE-2025-8943: The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.87%
99.3th percentile
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | < 3.0.1 | 3.0.1 |
| flowiseai | flowise | 0 – 3.0.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for HTTP POST requests to /api/v1/node-load-method/customMCP containing the spoofed internal header 'x-request-from: internal' — this header bypasses authentication checks and is required for the exploit to succeed. ↗
- →Alert on POST requests to /api/v1/node-load-method/customMCP with a JSON body containing 'mcpServerConfig' and 'command'/'args' fields, especially from unauthenticated sources — this is the exact exploit payload structure. ↗
- →Monitor for DNS callback/OAST interactions triggered from Flowise server processes, which may indicate active exploitation via the customMCP RCE vector (Nuclei template uses interactsh DNS OOB detection). ↗
- →Successful exploitation responses return HTTP 200 with a JSON body containing 'No Available Actions' and a 'label' key — use this as a response-side detection signal in WAF/proxy logs. ↗
- →Exploitation is observed from Starlink IP space; threat intelligence enrichment on source IPs hitting /api/v1/node-load-method/customMCP should include ASN checks for Starlink (AS14593). ↗
- →Flowise instances exposed on the public internet can be identified via Shodan using the query http.title:"Flowise" — use this to enumerate your own exposure or track attacker reconnaissance. ↗
- →The Metasploit module targets Flowise versions >= 2.2.7-patch.1 and < 3.0.1; version fingerprinting of Flowise deployments in this range should be treated as high-priority patching targets. ↗
- ·The exploit works unauthenticated by default — Flowise versions before 3.0.1 run without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are explicitly configured. If Basic Auth IS enabled, credentials must be supplied for the exploit to succeed. ↗
- ·The vulnerability is only exploitable in Flowise versions before 3.0.1; the fix was introduced in 3.0.1 for CVE-2025-8943 specifically. Defenders should also be aware of co-exploited CVE-2025-26319 (arbitrary file upload, CVSS 8.9) and CVE-2025-59528 (JS code injection, CVSS 10.0) affecting overlapping version ranges. ↗
- ·Between 12,000 and 15,000 Flowise instances are currently exposed on the public internet, making opportunistic mass exploitation highly feasible. Removing instances from public internet access is recommended if external access is not required. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Flowise OS command remote code execution
ghsa·2025-08-14
CVE-2025-8943 [CRITICAL] CWE-306 Flowise OS command remote code execution
Flowise OS command remote code execution
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
OSV
Flowise OS command remote code execution
osv·2025-08-14
CVE-2025-8943 [CRITICAL] Flowise OS command remote code execution
Flowise OS command remote code execution
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
VulnCheck
FlowiseAI Flowise Missing Authentication for Critical Function
vulncheck·2025·CVSS 9.8
CVE-2025-8943 [CRITICAL] FlowiseAI Flowise Missing Authentication for Critical Function
FlowiseAI Flowise Missing Authentication for Critical Function
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
Affected: FlowiseAI Flowise
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-ca
No detection rules found.
Nuclei
Flowise < 3.0.1 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2025-8943 [CRITICAL] Flowise < 3.0.1 - Remote Command Execution
Flowise < 3.0.1 - Remote Command Execution
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
Template:
id: CVE-2025-8943
info:
name: Flowise < 3.0.1 - Remote Command Execution
author: zezezez
severity: critical
description: |
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise
Metasploit
Flowise Custom MCP Remote Code Execution
metasploit
Flowise Custom MCP Remote Code Execution
Flowise Custom MCP Remote Code Execution
This module exploits a remote code execution vulnerability in Flowise versions >= 2.2.7-patch.1 and < 3.0.1. The vulnerability exists in the customMCP endpoint (/api/v1/node-load-method/customMCP) located in packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts and packages/components/nodes/tools/MCP/core.ts, which allows users to execute arbitrary commands via StdioClientTransport by using the 'x-request-from: internal' header. When FLOWISE_USERNAME and FLOWISE_PASSWORD are not configured, the exploit works unauthenticated. If Basic Auth is enabled, the FLOWISE_USERNAME and FLOWISE_PASSWORD options must be set to provide credentials.
Bleepingcomputer
Max severity Flowise RCE vulnerability now exploited in attacks
blogs_bleepingcomputer·2026-04-07·CVSS 9.8
[CRITICAL] Max severity Flowise RCE vulnerability now exploited in attacks
## Max severity Flowise RCE vulnerability now exploited in attacks
## Bill Toulas
The developer addressed the issue in Flowise version 3.0.6. The latest current version is 3.1.1, released two weeks ago.
Flowise is an open-source , low-code platform for building AI agents and LLM-based workflows. It provides a drag-and-drop interface that lets users connect components into pipelines powering chatbots, automation, and AI systems.
It is used by a broad range of users, including developers working in AI prototyping, non-technical users working with no-code toolsets, and companies that operate customer support chatbots and knowledge-based assistants.
Caitlin Condon, security researcher at vulnerability intelligence company VulnCheck, announced on LinkedIn that exploitation of CVE-2025-5952
Hackernews
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
blogs_hackernews·2026-04-07·CVSS 9.8
CVE-2025-59528 [CRITICAL] Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Threat actors are exploiting a maximum-severity security flaw in Flowise , an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.
The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.
"The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server," Flowise said in an advisory released in September 2025. "This node parses the user-provided
Greynoiseio
NoiseLetter November 2025
blogs_greynoiseio
NoiseLetter November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-08-14
Published
Exploited in the wild