CVE-2025-71336 - Flowise Custom MCP auth bypass RCE
Flowise before 3.0.6 exposed a critical command-execution path in the Custom
MCP feature. An attacker could send a crafted request to
/api/v1/node-load-method/customMCP, spoof the x-request-from: internal
header, and make the server execute arbitrary OS commands intended for local
MCP process launch.
Because default Flowise deployments are often weakly authenticated or expose broad chatflow editing power, this is an application-layer auth bypass plus server-side process execution issue.
When to use it
Use this recipe when a repository deploys Flowise, vendors Flowise, ships Flowise images/manifests, exports chatflows with Custom MCP usage, or carries an equivalent MCP stdio launch feature. It is designed for source-code and deployment remediation, MCP trust-boundary review, command-execution containment, and evidence that untrusted callers cannot launch arbitrary local MCP processes.
Inputs
- Flowise version, npm lockfiles, Docker/compose/chart/manifests, exported chatflows, Custom MCP feature flags, route authorization code, and generated dependency or SBOM reports.
- Source paths that handle
/api/v1/node-load-method/customMCP,x-request-from, internal request trust, MCP server creation/testing, process launch, environment injection, or command allow-lists. - Regression fixtures for forged internal headers, non-admin callers, disabled Custom MCP, approved registry entries, denied arbitrary commands, and secret redaction.
- Boundary evidence: Flowise roles, exposed deployments, MCP environment values, provider keys, writable volumes, logs, image owners, and rollout owner.
Affected versions
- Vulnerable:
flowise <3.0.6 - Fixed:
flowise 3.0.6+ - Affected surface: Custom MCP route handling, request trust boundaries, and server-side stdio MCP launch behavior
Indicator-of-exposure
- The repository deploys or vendors Flowise
<3.0.6. - Custom MCP is enabled or not explicitly disabled.
- Server code trusts
x-request-fromor similar internal-origin headers. - Flowise workers can reach secrets, source trees, package managers, metadata services, writable volumes, or deployment credentials.
Quick checks:
rg -n "customMCP|node-load-method|x-request-from|internal|stdio|spawn|exec|Custom MCP" .
npm ls flowise
pnpm why flowise
Windows:
rg -n "customMCP|node-load-method|x-request-from|internal|stdio|spawn|exec|Custom MCP" .
npm ls flowise
pnpm why flowise
Remediation strategy
- Upgrade Flowise to
3.0.6+. - Remove trust in caller-controlled internal-origin headers.
- Restrict Custom MCP creation and execution to trusted administrators only, or disable the feature entirely until every controlled runtime is patched.
- Replace raw command configuration with an approved registry of allowed MCP servers, pinned binaries, and explicit least-privilege execution policy.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2025-71336 / GHSA-q2xp-j85q-883h in Flowise. A forged
internal-request header can reach the Custom MCP endpoint and trigger arbitrary
OS command execution. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Flowise, removes header-based
trust, locks down Custom MCP execution, adds regression coverage, and
documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected Flowise runtime.
## Rules
- Scope only CVE-2025-71336 and directly related Custom MCP request handling.
- Treat Flowise credentials, MCP environment values, provider keys, and
deployment secrets as sensitive.
- Do not execute attacker-controlled commands or create live exploit payloads.
- Do not rely on UI-only controls while the server route remains reachable.
- Do not auto-merge.
## Steps
1. Inventory every Flowise package, image, compose file, chart, manifest, and
exported chatflow controlled by this repository.
2. Confirm whether any runtime resolves `<3.0.6`.
3. Trace the Custom MCP route, request-origin checks, and process-launch path.
4. If this repository does not control an affected Flowise runtime, stop with
`TRIAGE.md` naming the owner and required fixed version `3.0.6+`.
5. Upgrade to `3.0.6+` and refresh locks, images, SBOMs, and deployment
artifacts.
6. Remove spoofable header trust and require real server-side authorization for
Custom MCP creation, testing, and execution.
7. Disable or tightly govern stdio MCP launch until only approved registry
entries can run.
8. Add regression tests proving external callers cannot reach the vulnerable
endpoint with forged internal headers.
9. Add a PR body section named `CVE-2025-71336 operator actions` covering:
- versions before and after;
- whether Custom MCP was enabled;
- which roles could create or test MCP servers before the patch;
- which secrets, keys, and logs need review or rotation;
- validation that passed.
10. Run available validation: tests, build, image build, deployment render, and
dependency/security scans.
11. Use PR title:
`fix(sec): block Flowise Custom MCP auth bypass RCE`.
## Stop conditions
- No affected Flowise runtime is controlled by this repository.
- Verification would require running attacker-controlled commands.
- Product requirements intentionally allow untrusted users to define local MCP
commands; document the risk and stop for review.
- Validation fails for unrelated pre-existing reasons; document those failures.
Output contract
- A reviewer-ready PR or change request that upgrades Flowise, removes spoofable header trust, restricts Custom MCP execution, refreshes deployment artifacts, and documents secret/operator review.
- Or a
TRIAGE.mdfile that lists inspected packages/images/manifests, owner, observed version, Custom MCP exposure boundary, required fix, and residual risk. - The output must include exact validation commands and must not run attacker- controlled commands, print MCP environment values, expose provider keys, or broaden command execution to make tests pass.
Verification - what the reviewer looks for
- No controlled Flowise runtime resolves
<3.0.6. - Forged internal-request headers no longer bypass authorization.
- Untrusted users cannot create or execute arbitrary stdio MCP commands.
- Operator notes cover secret review and credential rotation if exposure existed.
Watch for
- Upgrading the package but leaving managed deployments on an older image.
- Blocking the UI while the API route still accepts forged headers.
- Keeping Custom MCP enabled without a finite allow-list or admin-only gate.
Related recipes
- Source code attack surface map
- Source code secrets and data exposure audit
- Source code injection sink audit
- NIST SSDF repository evidence check