CVE-2025-59528

Name of the Vulnerable Software and Affected Versions Flowise versions 3.0.5

Description Flowise, a drag-and-drop user interface for building customized large language model flows, has a remote code execution vulnerability in version 3.0.5. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string and executes JavaScript code without security validation. Specifically, the convertToValidJSONString function passes user input directly to the Function() constructor, which executes the input as JavaScript code with full Node.js runtime privileges, granting access to modules like child process and fs. Exploitation of this vulnerability has been observed, affecting an estimated 12,000 to 15,000 instances. The vulnerability is triggered by submitting malicious code through the /api/v1/node-load-method/customMCP API endpoint via the mcpServerConfig parameter. The taint flow originates from route registration, passes through a controller and service, enters the CustomMCP node, undergoes variable substitution, and culminates in dangerous code execution via the Function() constructor. A proof of concept demonstrates the ability to execute commands on the server by creating a file in the /tmp directory.

Recommendations Update to version 3.0.6 or later.