Flowise Remote Code Execution via NODE_OPTIONS Injection

Executive Summary

This vulnerability exists in Flowise versions before 3.1.3 and involves the validation of Custom MCP stdio environment variables. The software uses a case-sensitive denylist to block certain environment variables such as NODE_OPTIONS. However, on Windows, environment variable names are case-insensitive, so an attacker can bypass this denylist by using a lowercase variant like 'node_options'.

An authenticated user who can configure a Custom MCP node can exploit this bypass to inject NODE_OPTIONS with the --require flag, allowing them to execute arbitrary code within the Flowise server context. This effectively leads to remote code execution (RCE) on the server.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an authenticated user with permission to configure a Custom MCP node to execute arbitrary code on the Flowise server. This can lead to unauthorized actions such as running malicious scripts, compromising server integrity, accessing sensitive data, or disrupting service availability.

Because the attack exploits environment variable handling on Windows, deployments on this platform are particularly at risk. The impact includes potential remote code execution, which is a serious security risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of environment variables in the Custom MCP stdio configuration that bypass the denylist due to case sensitivity issues, specifically the use of 'node_options' instead of 'NODE_OPTIONS' on Windows systems.

One practical approach is to inspect the environment variables configured for Custom MCP nodes to see if any lower-case variants of blocked variables like 'node_options' are present.

Since the vulnerability involves environment variables in the Flowise server context, commands to list environment variables or configurations related to Custom MCP nodes on the Windows host or within the Flowise deployment can help detect exploitation attempts.

• On Windows, use PowerShell to list environment variables: `Get-ChildItem Env:` and check for 'node_options' or similar variants.
• Inspect Flowise Custom MCP node configurations for environment variables set with lower-case names that should be blocked.
• Monitor for unexpected file creations or code execution traces that might indicate exploitation, as demonstrated by the proof-of-concept creating marker files.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.1.3 or later, where the vulnerability has been fixed by implementing an operator-controlled allow-list for environment variables and normalizing environment variable name comparisons.

Until the upgrade can be applied, restrict access to authenticated users who can configure Custom MCP nodes, as the vulnerability requires such privileges to exploit.

Additionally, review and sanitize environment variable configurations in Custom MCP nodes to ensure no bypassing variables like 'node_options' are set.

Consider applying platform-aware validation or manual checks to prevent case-insensitive bypasses on Windows systems.

Useful 0 Not Useful 0