CVE-2025-8943
Published: 14 August 2025
Summary
CVE-2025-8943 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
Flowise versions before 3.0.1 are affected by a remote code execution vulnerability in the Custom MCPs feature. This capability is designed to invoke operating system commands, including tools such as npx to launch local MCP servers, yet the application implements only minimal authentication and authorization controls and lacks role-based access controls. Prior to version 3.0.1, the default installation runs without authentication unless explicitly configured, exposing the command execution path directly to the network.
Unauthenticated remote attackers can therefore supply arbitrary OS commands through the Custom MCPs interface and achieve full control over the underlying host, including the ability to read, modify, or delete data and disrupt service availability. The issue is tracked under CWE-306 and CWE-862 and is rated 9.8 under CVSS 3.1.
A technical analysis of the flaw and its impact is provided in the JFrog advisory at https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/. The associated EPSS score has remained elevated, reaching a peak of 0.8937.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24801
Vulnerability details
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise…
more
versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: flowise, mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via public-facing Custom MCPs feature in Flowise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses permitting critical OS command execution via Custom MCPs without identification or authentication by requiring documentation and restriction of such actions.
Enforces approved authorizations to block unauthenticated access to the Custom MCPs feature that executes unsandboxed OS commands.
Implements least privilege and RBAC to restrict OS command execution to only authorized users or roles, mitigating the lack of authorization controls.