### Critical Vulnerability Information #### Vulnerability Overview - **Vulnerability Type**: RCE (Remote Code Execution) - **Severity**: Critical (CVSS v3 Base Score: 10.0/10) - **CVE ID**: CVE-2025-50528 - **Affected Version**: 3.0.5 - **Fixed Version**: 3.0.6 #### Vulnerability Cause The `@flowise/node` module in Flowise allows users to input configuration settings to connect to external MCP (Model Context Protocol) servers. During the parsing of the user-provided `mcpServerConfig` string, the input is directly passed to the `Function()` constructor, enabling arbitrary JavaScript code execution. #### Vulnerability Flow 1. User input is submitted via the API endpoint `/api/v1/node-load-method/customMCP`. 2. The `substituteVariablesInString` function replaces template variables without any security filtering. 3. The `convertToValidJSONString` function executes the input using `Function('return ' + inputString)()`. If the input contains malicious code, it runs in the global Node.js context. #### Taint Flow - Taint 01: Route Registration (`index.ts`) - Taint 02: Controller (`index.ts`) - Taint 03: Service (`index.ts`) - Taint 04: Custom MCP Node Entry Point (`CustomMCP.ts`) - Taint 05: Variable Substitution (`CustomMCP.ts`) - Taint 06: Dangerous Constructor Execution (`CustomMCP.ts`) #### Proof of Concept (PoC) ```bash curl -X POST http://localhost:3000/api/v1/node-load-method/customMCP \ -H "Content-Type: application/json" \ -H "Authorization: Bearer twfIfpgZG-nwLu29h7VbHriOaISZlDZjFSxzr7nd9QY" \ -d '{"listMethod": "listActions", "inputs": {"mcpServerConfig": "{x:(function(){const cp = process.mainModule.require(\"child_process\");cp.execSync(`echo ls ->RCE.txt`)})()}}" ``` #### Impact - Full system compromise and infrastructure threat - Complete system takeover - File system access - Command execution - Sensitive data exposure This vulnerability can be exploited with just a single API token, posing an extreme security risk to business continuity and customer data.