CVE-2025-8943
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-14

Last updated on: 2025-09-23

Assigner: JFrog

Description
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-14
Last Modified
2025-09-23
Generated
2026-05-07
AI Q&A
2025-08-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8943
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flowiseai flowise to 3.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Flowise versions before 3.0.1 where the Custom MCPs feature executes OS commands without proper security controls. The software has minimal authentication and authorization, lacking role-based access controls, and by default does not require authentication. This allows unauthenticated attackers on the network to execute arbitrary OS commands without sandboxing.


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can execute arbitrary operating system commands on the affected system with high privileges, potentially leading to full system compromise, data theft, data loss, or disruption of services.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability can negatively impact compliance with standards such as GDPR and HIPAA because it allows unauthorized access and control over systems, potentially leading to unauthorized access to sensitive personal or health data, violating data protection and security requirements.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade Flowise to version 3.0.1 or later, as versions before 3.0.1 operate without authentication by default. Additionally, configure authentication and authorization mechanisms explicitly, and implement role-based access controls (RBAC) to restrict access and prevent unauthenticated OS command execution.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart