CVE-2025-59528
Published: 22 September 2025
Summary
CVE-2025-59528 is a critical-severity Code Injection (CWE-94) vulnerability in Flowiseai Flowise. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Flowise version 3.0.5 contains a remote code execution vulnerability in its CustomMCP node, which accepts an mcpServerConfig string from users to configure connections to external MCP servers. The convertToValidJSONString function passes this input directly to the JavaScript Function() constructor for evaluation, granting the executed code full access to the Node.js runtime and modules such as child_process and fs. The flaw is an instance of CWE-94 code injection and carries a CVSS 3.1 score of 10.0.
An attacker with network access to a Flowise instance can supply a malicious configuration string that executes arbitrary JavaScript. Because the code runs with the privileges of the Flowise server process, successful exploitation yields full control over the host, including the ability to spawn processes, read or write files, and exfiltrate data.
The project has released version 3.0.6 to address the issue. The references point to the specific lines in CustomMCP.ts and related server-side node handling code where the unsafe evaluation occurs.
The vulnerability affects an LLM workflow builder and shows an EPSS score that has reached 0.87, indicating substantial and sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29246
Vulnerability details
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external…
more
MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: flowise, large language model, mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote code execution via arbitrary user-supplied JavaScript executed with Node.js privileges in a public-facing web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents arbitrary JavaScript execution by requiring validation and sanitization of the user-provided mcpServerConfig string before passing it to the Function() constructor.
Mitigates the vulnerability through timely patching to Flowise version 3.0.6, which addresses the insecure parsing and code execution in convertToValidJSONString.
Enforces restrictions on the mcpServerConfig input to only permit safe, valid configuration data, blocking malicious JavaScript payloads from being processed.