CVE-2025-71336
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk50th percentile — higher than 50% of all known CVEs
Summary
Flowise before version 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature. An attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, leading to complete compromise of the platform container or server.
Risk Assessment
The risk to the organization is critical because the default Flowise installation runs without authentication and lacks role-based access control, allowing an unauthenticated attacker to fully compromise the platform, potentially leading to data loss, service disruption, or further attacks on the infrastructure.
Recommendation
Immediately upgrade Flowise to version 3.0.6 or later and configure the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables to enable authentication. Additionally, restrict access to the /api/v1/node-load-method/customMCP endpoint to trusted networks only.
Original NVD description (English source)
Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal and lacks role-based access control, and the default installation runs without authentication unless FLOWISE_USERNAME and FLOWISE_PASSWORD are set, an attacker can send a crafted JSON payload with the header 'x-request-from: internal' to the /api/v1/node-load-method/customMCP endpoint to execute arbitrary OS commands, resulting in complete compromise of the platform container or server.

