Flowise Vulnerability Exposes Millions to Remote Code Risks

Flowise Vulnerability Exposes Millions to Remote Code Risks

Posted on By CWS

A significant security flaw in Flowise and several AI frameworks has been identified by OX Security, putting millions of users at risk of remote code execution. This vulnerability is linked to the Model Context Protocol (MCP), a vital communication standard for AI agents developed by Anthropic.

Understanding the MCP Flaw

Unlike typical software bugs, this issue arises from a fundamental design choice within Anthropic’s MCP SDKs, affecting multiple programming languages including Python, TypeScript, Java, and Rust. Developers utilizing the MCP framework inadvertently expose their applications to potential attacks, broadening the risk across the AI ecosystem.

The vulnerability allows attackers to run arbitrary commands on affected systems, granting access to sensitive data, internal databases, API keys, and chat histories. OX Security demonstrated this by executing commands on six production platforms, with Flowise being notably impacted.

Widespread Impact and Exploitation

Researchers have identified a ‘hardening bypass’ attack vector targeting Flowise, showing that even systems with additional protections remain vulnerable. The potential impact is vast, with over 150 million downloads, more than 7,000 public servers, and approximately 200,000 vulnerable instances.

At least ten CVEs have been issued for vulnerabilities in platforms like LiteLLM, LangChain, GPT Researcher, Windsurf, DocsGPT, and IBM’s LangFlow. Four primary exploitation methods were confirmed, including unauthenticated UI injection and zero-click prompt injection in AI IDEs like Windsurf and Cursor.

Response and Recommendations

Despite repeated recommendations from OX Security for root-level patches to protect downstream users, Anthropic declined to implement these changes, describing the behavior as ‘expected.’ Following this, immediate action is advised for security teams to mitigate the risk.

Key measures include blocking public internet exposure of AI services, treating all external MCP configuration input as untrusted, and installing MCP servers only from verified sources. Additionally, running MCP-enabled services in sandboxed environments and monitoring AI tool invocations for abnormal activity is crucial.

OX Security has implemented platform-level protections for its clients, highlighting STDIO MCP configurations involving user input as a priority for remediation.

Stay informed by following our updates on Google News, LinkedIn, and X. For more insights, reach out to feature your stories.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

IRGC-Linked APT35 Structure, Tools, and Espionage Operations Disclosed IRGC-Linked APT35 Structure, Tools, and Espionage Operations Disclosed Cyber Security News
Threat Actors Using Fake Notepad++ and 7-zip Websites to Deploy Remote Monitoring Tools Threat Actors Using Fake Notepad++ and 7-zip Websites to Deploy Remote Monitoring Tools Cyber Security News
Hackers Using ClickFix Technique to Attack Windows Machine and Execute Powershell Commands Hackers Using ClickFix Technique to Attack Windows Machine and Execute Powershell Commands Cyber Security News
CodeSign Secure v3.02: Future of Code Signing with PQC CodeSign Secure v3.02: Future of Code Signing with PQC Cyber Security News
Critical Vulnerability in BeyondTrust Allows Remote Code Execution Critical Vulnerability in BeyondTrust Allows Remote Code Execution Cyber Security News
GravityRAT with Remote Access Capabilities Attacking Windows, Android, and macOS Systems GravityRAT with Remote Access Capabilities Attacking Windows, Android, and macOS Systems Cyber Security News