CVE-2025-59528

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6

Description Flowise is a drag-and-drop user interface for building customized large language model flows. A critical issue exists in the CustomMCP node, which allows users to input configuration settings for connecting to an external Model Context Protocol (MCP) server. The node parses the mcpServerConfig string to build the server configuration but executes JavaScript code without security validation. Specifically, the convertToValidJSONString() function passes user input directly to the Function() constructor, evaluating it as JavaScript code. Because this process runs with full Node.js runtime privileges, it allows access to dangerous modules such as child process and fs, enabling remote code execution, file system access, and full system compromise. The issue is accessible via the '/api/v1/node-load-method/customMCP' endpoint through the mcpServerConfig parameter. It is estimated that between 12,000 and 15,000 internet-facing instances are potentially affected, and active real-world exploitation has been observed.

Recommendations Update to version 3.0.6 or later. As a temporary workaround, disable or restrict access to the CustomMCP node and the '/api/v1/node-load-method/customMCP' endpoint. Restrict management and API endpoints behind a VPN or IP allowlists. Revoke and rotate API tokens and credentials.