cbcvebase.
CVE-2025-8943
published 2025-08-14

CVE-2025-8943: The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.87%
99.3th percentile
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.

Affected

2 ranges
VendorProductVersion rangeFixed in
flowiseaiflowise< 3.0.13.0.1
flowiseaiflowise0 – 3.0.5

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/node-load-method/customMCP
otherx-request-from: internal
commandping {{interactsh-url}} -c 4
pathpackages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts
pathpackages/components/nodes/tools/MCP/core.ts
  • Detect exploitation attempts by monitoring for HTTP POST requests to /api/v1/node-load-method/customMCP containing the spoofed internal header 'x-request-from: internal' — this header bypasses authentication checks and is required for the exploit to succeed.
  • Alert on POST requests to /api/v1/node-load-method/customMCP with a JSON body containing 'mcpServerConfig' and 'command'/'args' fields, especially from unauthenticated sources — this is the exact exploit payload structure.
  • Monitor for DNS callback/OAST interactions triggered from Flowise server processes, which may indicate active exploitation via the customMCP RCE vector (Nuclei template uses interactsh DNS OOB detection).
  • Successful exploitation responses return HTTP 200 with a JSON body containing 'No Available Actions' and a 'label' key — use this as a response-side detection signal in WAF/proxy logs.
  • Exploitation is observed from Starlink IP space; threat intelligence enrichment on source IPs hitting /api/v1/node-load-method/customMCP should include ASN checks for Starlink (AS14593).
  • Flowise instances exposed on the public internet can be identified via Shodan using the query http.title:"Flowise" — use this to enumerate your own exposure or track attacker reconnaissance.
  • The Metasploit module targets Flowise versions >= 2.2.7-patch.1 and < 3.0.1; version fingerprinting of Flowise deployments in this range should be treated as high-priority patching targets.
  • ·The exploit works unauthenticated by default — Flowise versions before 3.0.1 run without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are explicitly configured. If Basic Auth IS enabled, credentials must be supplied for the exploit to succeed.
  • ·The vulnerability is only exploitable in Flowise versions before 3.0.1; the fix was introduced in 3.0.1 for CVE-2025-8943 specifically. Defenders should also be aware of co-exploited CVE-2025-26319 (arbitrary file upload, CVSS 8.9) and CVE-2025-59528 (JS code injection, CVSS 10.0) affecting overlapping version ranges.
  • ·Between 12,000 and 15,000 Flowise instances are currently exposed on the public internet, making opportunistic mass exploitation highly feasible. Removing instances from public internet access is recommended if external access is not required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.