Flowise - Remote Code Execution via MCP Security Bypass in validateCommandFlags and validateArgsForLocalFileAccess

An attacker with any Flowise account role or API access with view/update permissions for chatflows can configure a malicious Custom MCP Server. Three bypass methods exist: (1) using `docker build` (not blocked) to pull a remote Dockerfile with malicious RUN instructions [ref_id=1]; (2) using `npx --yes` (the long-parameter alias is not blocked while only `-y` is) to auto-install and execute an arbitrary npm package [ref_id=1]; (3) using `node` with a `//`-prefixed absolute path to bypass the regex in `validateArgsForLocalFileAccess` and execute a local uploaded script [ref_id=1]. All three lead to arbitrary command execution on the Flowise host.

The vulnerable functions are `validateCommandFlags` and `validateArgsForLocalFileAccess` in `packages/components/nodes/tools/MCP/core.ts`. `validateCommandFlags` uses an incomplete blocklist that omits `build` for Docker and `--yes` for npx. `validateArgsForLocalFileAccess` uses a regex `/^\/[^/]/` that fails to block paths starting with `//`, allowing bypass of local file access restrictions.

The advisory does not include a patch diff, but the fix must address three gaps: add `build` to the Docker blocklist in `COMMAND_FLAG_BLACKLIST`; add `--yes` to the npx blocklist; and correct the regex in `validateArgsForLocalFileAccess` so that paths starting with `//` are also rejected. Without these changes, an attacker can chain the bypasses to achieve RCE.