A vulnerability was found in Campcodes Online Flight Booking Management System 1
Description
A vulnerability was found in Campcodes Online Flight Booking Management System 1
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Flowise
PRODUCT: Flowise
AFFECTED_VERSIONS: See vendor advisory
CONFIDENCE: medium
MISSING: versions, patch, exploit_status, technical_details
---END_METADATA---
Description Summary:
The Custom MCPs feature in Flowise contains an authentication and authorization flaw that allows for the unauthorized execution of arbitrary OS commands.
Executive Summary:
A critical authentication and authorization flaw in the Flowise Custom MCPs feature allows unauthenticated attackers to execute arbitrary OS commands, posing a severe risk of system compromise.
Vulnerability Details
CVE-ID: CVE-2025-8943
Affected Software: Flowise
Affected Versions: See vendor advisory
Vulnerability: The vulnerability exists within the Custom MCPs feature, which is designed to execute OS commands via tools like
npx. Due to insufficient authentication and authorization controls, an unauthenticated attacker can trigger these commands, leading to remote code execution.Business Impact
The ability for an unauthenticated attacker to execute arbitrary OS commands represents a critical risk to the confidentiality, integrity, and availability of the host environment. With a CVSS score of 9.8, this vulnerability could allow full system compromise, data exfiltration, or the deployment of persistent malware, resulting in significant operational downtime and reputational damage.
Remediation Plan
Immediate Action: Identify and update the Flowise instance to the latest security release provided by the vendor to remediate the authorization logic.
Proactive Monitoring: Review system and application logs for unusual command execution patterns or the spawning of unexpected child processes from the Flowise service.
Compensating Controls: Restrict network access to the Flowise interface using a firewall or VPN to ensure that the management interface is not exposed to untrusted networks.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Aug 14, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the critical CVSS severity of 9.8, administrators must prioritize the identification and patching of all exposed Flowise instances. Immediate application of the latest vendor-supplied update is required to close the authorization gap and prevent potential remote code execution attacks.