CVE Catalog

CVE-2025-71336

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.73%

50th percentile — higher than 50% of all known CVEs

Summary

Flowise before version 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature. An attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, leading to complete compromise of the platform container or server.

Risk Assessment

The risk to the organization is critical because the default Flowise installation runs without authentication and lacks role-based access control, allowing an unauthenticated attacker to fully compromise the platform, potentially leading to data loss, service disruption, or further attacks on the infrastructure.

Recommendation

Immediately upgrade Flowise to version 3.0.6 or later and configure the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables to enable authentication. Additionally, restrict access to the /api/v1/node-load-method/customMCP endpoint to trusted networks only.

Original NVD description (English source)

Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal and lacks role-based access control, and the default installation runs without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are set, an attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, resulting in complete compromise of the platform container or server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS