← Signals
- flowise
- node
- windows
- rce
- exploitarium
news
Flowise 3.1.2 MCP NODE_OPTIONS Case Bypass
Custom MCP stdio blocks `NODE_OPTIONS` by exact case; Windows honors `node_options` — preload arbitrary JS in child Node process.
Summary
Custom MCP stdio blocks NODE_OPTIONS by exact case; Windows honors node_options — preload arbitrary JS in child Node process. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | Flowise 3.1.2 / flowise-components 3.1.2 (Windows) |
| Primitive | Case-sensitive env denylist vs case-insensitive Windows env slot |
| Impact | Authenticated Flowise user with MCP config access → code execution in worker context. |
Attack Chain
Set node_options=--require loader in MCP env → spawn Node child → marker file / RCE
Mitigation
Normalize env keys to uppercase before denylist; restrict MCP configuration to admins.