Site icon TheCyberThrone

CVE-2025-59528: Flowise CustomMCP Code Injection RCE

PravinKarthik
Advertisements

Status: Actively exploited | CVSS: 10.0 (Critical) | EPSS: 99.25% | Exposure: 12,000+ internet-facing instances

Vulnerability Summary

CVE-2025-59528 affects Flowise, a drag & drop interface for building customized large language model flows, allowing remote code execution through the CustomMCP node when processing user-provided configuration settings for external MCP server connections. The flaw was discovered by Kim SooHyun and affects Flowise versions >= 2.2.7-patch.1 and < 3.0.6.

Root Cause

The vulnerability lies in the convertToValidJSONString function within CustomMCP.ts, which passes user input directly to JavaScript’s Function() constructor — functionally equivalent to eval() — executing the user-supplied string as arbitrary JavaScript code with full Node.js runtime privileges.

Attack Mechanics

Exploitation involves sending a crafted HTTP POST request to the Flowise API endpoint /api/v1/node-load-method/customMCP (typically on port 3000) containing a malicious mcpServerConfig parameter that, when passed to Function(‘return ‘ + inputString)(), evaluates as a JavaScript expression with embedded code execution l. No authentication is required when authentication is not configured — a common deployment scenario.

Impact

When exploited, attackers can execute arbitrary commands on the host machine, access sensitive files, extract API keys and credentials, deploy persistent backdoors, and in many environments use a single compromised Flowise instance as an entry point for lateral movement across integrated databases, cloud infrastructure, and third-party APIs.

Mitigation

Immediate Actions:

Pattern Context: This is the third Flowise flaw to be exploited in the field, after CVE-2025-8943 (CVSS 9.8) and CVE-2025-26319 (CVSS 8.9) , suggesting sustained attacker focus on the platform.

Exit mobile version