CVE-2025-59528: Flowise CustomMCP Code Injection RCE

CVE-2025-59528: Flowise CustomMCP Code Injection RCE

No Comments

Status: Actively exploited | CVSS: 10.0 (Critical) | EPSS: 99.25% | Exposure: 12,000+ internet-facing instances

Vulnerability Summary

CVE-2025-59528 affects Flowise, a drag & drop interface for building customized large language model flows, allowing remote code execution through the CustomMCP node when processing user-provided configuration settings for external MCP server connections. The flaw was discovered by Kim SooHyun and affects Flowise versions >= 2.2.7-patch.1 and < 3.0.6.

Root Cause

The vulnerability lies in the convertToValidJSONString function within CustomMCP.ts, which passes user input directly to JavaScript’s Function() constructor — functionally equivalent to eval() — executing the user-supplied string as arbitrary JavaScript code with full Node.js runtime privileges.

Attack Mechanics

Exploitation involves sending a crafted HTTP POST request to the Flowise API endpoint /api/v1/node-load-method/customMCP (typically on port 3000) containing a malicious mcpServerConfig parameter that, when passed to Function(‘return ‘ + inputString)(), evaluates as a JavaScript expression with embedded code execution l. No authentication is required when authentication is not configured — a common deployment scenario.

Impact

When exploited, attackers can execute arbitrary commands on the host machine, access sensitive files, extract API keys and credentials, deploy persistent backdoors, and in many environments use a single compromised Flowise instance as an entry point for lateral movement across integrated databases, cloud infrastructure, and third-party APIs.

Mitigation

Immediate Actions:

  • Upgrade to Flowise version 3.0.6 or later where the issue has been patched
  • Rotate all API tokens and credentials associated with Flowise deployments
  • Restrict network access to Flowise instances
  • Monitor for suspicious POST requests to /api/v1/node-load-method/customMCP

Pattern Context: This is the third Flowise flaw to be exploited in the field, after CVE-2025-8943 (CVSS 9.8) and CVE-2025-26319 (CVSS 8.9) , suggesting sustained attacker focus on the platform.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.