Cyber Resilience

CVE-2025-8943

CriticalPublic PoC

Published: 14 August 2025

Published
14 August 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8647 99.4th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8943 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

Flowise versions before 3.0.1 are affected by a remote code execution vulnerability in the Custom MCPs feature. This capability is designed to invoke operating system commands, including tools such as npx to launch local MCP servers, yet the application implements only minimal authentication and authorization controls and lacks role-based access controls. Prior to version 3.0.1, the default installation runs without authentication unless explicitly configured, exposing the command execution path directly to the network.

Unauthenticated remote attackers can therefore supply arbitrary OS commands through the Custom MCPs interface and achieve full control over the underlying host, including the ability to read, modify, or delete data and disrupt service availability. The issue is tracked under CWE-306 and CWE-862 and is rated 9.8 under CVSS 3.1.

A technical analysis of the flaw and its impact is provided in the JFrog advisory at https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/. The associated EPSS score has remained elevated, reaching a peak of 0.8937.

EU & UK References

Vulnerability details

The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise…

more

versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE via public-facing Custom MCPs feature in Flowise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-58434Same product: Flowiseai Flowise
CVE-2025-34267Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise
CVE-2026-41273Same product: Flowiseai Flowise
CVE-2026-30824Same product: Flowiseai Flowise
CVE-2026-40933Same product: Flowiseai Flowise
CVE-2025-59528Same product: Flowiseai Flowise
CVE-2026-41277Same product: Flowiseai Flowise
CVE-2026-41272Same product: Flowiseai Flowise
CVE-2025-61913Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
≤ 3.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses permitting critical OS command execution via Custom MCPs without identification or authentication by requiring documentation and restriction of such actions.

prevent

Enforces approved authorizations to block unauthenticated access to the Custom MCPs feature that executes unsandboxed OS commands.

prevent

Implements least privilege and RBAC to restrict OS command execution to only authorized users or roles, mitigating the lack of authorization controls.

References