What happened
Flowise before 3.1.3 validates environment variables for Custom MCP stdio nodes against a denylist using a case-sensitive string comparison. On Windows, environment variable names are case-insensitive, so an authenticated user who can configure a Custom MCP node can supply 'node_options' (lowercase) to bypass the 'NODE_OPTIONS' denylist entry and inject '--require' to load arbitrary code within the Flowise server process. VulnCheck confirmed a proof-of-concept exists (bikini/exploitarium). Fixed in PR #6471, released in Flowise 3.1.3.
Why it matters
Flowise is a widely deployed open-source LLMOps/agent-flow platform. Any authenticated Flowise user with Custom MCP node access — a common role in self-hosted deployments — can escalate to server-level RCE on Windows instances. Since Flowise orchestrates LLM pipelines, a compromised server exposes all API keys, model configurations, connected data sources, and conversation histories for every flow on the instance.
Attack vector
Authenticated user with Custom MCP node configuration access sets environment variable 'node_options' (lowercase) with '--require <malicious_module>' value; Flowise's case-sensitive denylist misses it; arbitrary code runs in the Flowise server process on node spawn
Affected systems
Flowise ≥ 0, < 3.1.3 running on Windows
Mitigation
Upgrade to Flowise 3.1.3 or later. GitHub PR: https://github.com/FlowiseAI/Flowise/pull/6471