CVE-2025-59528

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6

Description A remote code execution issue exists in the CustomMCP node of Flowise, which allows users to input configuration settings for connecting to an external Model Context Protocol (MCP) server. The software parses the mcpServerConfig string to build the configuration but executes JavaScript code without security validation. Specifically, within the convertToValidJSONString() function, user input is passed directly to the Function() constructor, which evaluates and executes the input as JavaScript code. Because this process runs with full Node.js runtime privileges, it can access dangerous modules such as child process and fs. This flaw can be exploited via the API endpoint '/api/v1/node-load-method/customMCP' using the mcpServerConfig parameter. Between 12,000 and 15,000 internet-facing instances are estimated to be exposed, and active exploitation has been observed in the wild, including activity originating from a Starlink IP.

Recommendations Update Flowise to version 3.0.6 or later. As a temporary workaround, disable or restrict access to the CustomMCP node and the '/api/v1/node-load-method/customMCP' endpoint.