关联漏洞
标题:Flowise 安全漏洞 (CVE-2025-8943)描述:Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 3.0.1之前版本存在安全漏洞,该漏洞源于默认安装缺乏身份验证和基于角色的访问控制,可能导致执行未沙箱化的OS命令。
描述
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
文件快照
id: CVE-2025-8943
info:
name: Flowise < 3.0.1 - Remote Command Execution
author: zezezez
seve
...
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。