CVE-2025-59528 Overview
CVE-2025-59528 is a critical remote code execution vulnerability affecting Flowise, a popular drag-and-drop user interface for building customized large language model (LLM) flows. The vulnerability exists in version 3.0.5 where the CustomMCP node improperly handles user-provided configuration data, allowing attackers to execute arbitrary JavaScript code with full Node.js runtime privileges.
The CustomMCP node is designed to allow users to configure connections to external MCP (Model Context Protocol) servers. However, the convertToValidJSONString function within this component directly passes user-supplied input to the JavaScript Function() constructor without any security validation or sanitization. This dangerous pattern enables attackers to inject and execute malicious code that can access sensitive Node.js modules such as child_process and fs, leading to complete system compromise.
Critical Impact
Unauthenticated remote code execution allowing attackers to gain full control of the underlying server, execute system commands, read/write files, and potentially pivot to other network resources.
Affected Products
- Flowise version 3.0.5
- FlowiseAI Flowise (versions prior to 3.0.6)
Discovery Timeline
- 2025-09-22 - CVE-2025-59528 published to NVD
- 2025-09-23 - Last updated in NVD database
Technical Details for CVE-2025-59528
Vulnerability Analysis
This vulnerability represents a severe code injection flaw stemming from the unsafe use of dynamic code evaluation in a web application context. The CustomMCP node in Flowise allows users to input configuration settings for connecting to external MCP servers through a mcpServerConfig string parameter. During the parsing of this configuration, the application calls the convertToValidJSONString function which employs the JavaScript Function() constructor to process user input.
The Function() constructor in JavaScript creates a new function object from a string of code, effectively acting as an eval() equivalent. When user-controlled data is passed directly to this constructor without proper validation, it creates a direct path for arbitrary code execution. Since Flowise runs as a Node.js application, executed code has access to the full Node.js runtime environment, including dangerous built-in modules.
An attacker exploiting this vulnerability could leverage modules like child_process to execute system commands, fs to read or write arbitrary files, or net to establish network connections. This level of access could lead to data exfiltration, installation of backdoors, lateral movement within a network, or complete server takeover.
Root Cause
The root cause of CVE-2025-59528 is the direct use of the Function() constructor with unsanitized user input in the convertToValidJSONString function. The vulnerable code path exists in the CustomMCP component located at CustomMCP.ts L132 and related locations at L220 and L262-L270.
The application lacks input validation, output encoding, and sandboxing mechanisms that would prevent malicious code from being executed. Additionally, the design does not follow the principle of least privilege, as the code execution context has full access to Node.js capabilities rather than being restricted to only the necessary parsing operations.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can craft a malicious mcpServerConfig payload containing JavaScript code that will be executed when processed by the vulnerable convertToValidJSONString function.
The attack flow involves:
- An attacker identifies a Flowise instance running version 3.0.5
- The attacker accesses the CustomMCP node configuration interface
- A specially crafted configuration string containing malicious JavaScript is submitted as the mcpServerConfig parameter
- The server-side code passes this input to the Function() constructor
- The malicious code executes with full Node.js privileges, allowing the attacker to spawn child processes, access the filesystem, or perform other malicious actions
The vulnerability is particularly dangerous because it requires no special privileges or authentication, making any exposed Flowise 3.0.5 instance a potential target for exploitation.
Detection Methods for CVE-2025-59528
Indicators of Compromise
- Unexpected processes spawned as child processes of the Node.js Flowise process
- Anomalous outbound network connections from the Flowise server
- Unusual file system access patterns, particularly reads or writes to sensitive directories
- Suspicious entries in application logs referencing the CustomMCP node with abnormal configuration strings
- Presence of newly created files or modified system configurations following Flowise interactions
Detection Strategies
- Monitor Node.js process behavior for spawning of child processes, especially command shells or system utilities
- Implement web application firewall (WAF) rules to detect and block requests containing JavaScript code patterns in configuration parameters
- Enable verbose logging for the Flowise application and review logs for unusual CustomMCP configuration submissions
- Deploy endpoint detection and response (EDR) solutions to identify and alert on code injection attack patterns
Monitoring Recommendations
- Configure network monitoring to alert on unexpected outbound connections from the Flowise server
- Implement file integrity monitoring on critical system directories and the Flowise installation path
- Set up real-time log analysis for the Flowise application with alerting for error patterns or unusual API requests
- Deploy SentinelOne agents on servers running Flowise to leverage behavioral AI detection capabilities for identifying RCE attempts
How to Mitigate CVE-2025-59528
Immediate Actions Required
- Upgrade Flowise to version 3.0.6 or later immediately
- If immediate upgrade is not possible, restrict network access to the Flowise instance using firewall rules
- Implement authentication requirements if not already in place to limit exposure
- Review application logs for signs of prior exploitation attempts
- Consider temporarily disabling the CustomMCP node functionality until patching is complete
Patch Information
FlowiseAI has released version 3.0.6 which addresses this vulnerability. The patch can be obtained from the official FlowiseAI Release Version 3.0.6. Organizations should prioritize this update due to the critical severity and network-exploitable nature of the vulnerability. Additional details about the security fix are available in the FlowiseAI Security Advisory GHSA-3gcm-f6qx-ff7p.
Workarounds
- Place Flowise behind a reverse proxy with authentication requirements to prevent unauthorized access
- Implement network segmentation to isolate the Flowise server from sensitive internal resources
- Deploy a web application firewall (WAF) with rules to block JavaScript code patterns in request parameters
- Disable external network access to the Flowise instance if remote access is not required
- Regularly audit and monitor the CustomMCP node usage and configuration submissions
# Example: Restrict network access to Flowise using iptables
# Allow only trusted IP ranges to access Flowise port (default 3000)
iptables -A INPUT -p tcp --dport 3000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
# Example: Place Flowise behind nginx with basic authentication
# Add to nginx configuration
# location / {
# auth_basic "Restricted Access";
# auth_basic_user_file /etc/nginx/.htpasswd;
# proxy_pass http://localhost:3000;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
