Cyber Resilience

CVE-2025-59528

CriticalPublic PoCRCE

Published: 22 September 2025

Published
22 September 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.8527 99.4th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59528 is a critical-severity Code Injection (CWE-94) vulnerability in Flowiseai Flowise. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Flowise version 3.0.5 contains a remote code execution vulnerability in its CustomMCP node, which accepts an mcpServerConfig string from users to configure connections to external MCP servers. The convertToValidJSONString function passes this input directly to the JavaScript Function() constructor for evaluation, granting the executed code full access to the Node.js runtime and modules such as child_process and fs. The flaw is an instance of CWE-94 code injection and carries a CVSS 3.1 score of 10.0.

An attacker with network access to a Flowise instance can supply a malicious configuration string that executes arbitrary JavaScript. Because the code runs with the privileges of the Flowise server process, successful exploitation yields full control over the host, including the ability to spawn processes, read or write files, and exfiltrate data.

The project has released version 3.0.6 to address the issue. The references point to the specific lines in CustomMCP.ts and related server-side node handling code where the unsafe evaluation occurs.

The vulnerability affects an LLM workflow builder and shows an EPSS score that has reached 0.87, indicating substantial and sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external…

more

MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The vulnerability allows remote code execution via arbitrary user-supplied JavaScript executed with Node.js privileges in a public-facing web application.

CVEs Like This One

CVE-2026-41137Same product: Flowiseai Flowise
CVE-2026-41138Same product: Flowiseai Flowise
CVE-2025-50538Same product: Flowiseai Flowise
CVE-2025-8943Same product: Flowiseai Flowise
CVE-2026-40933Same product: Flowiseai Flowise
CVE-2025-61913Same product: Flowiseai Flowise
CVE-2025-58434Same product: Flowiseai Flowise
CVE-2025-61687Same product: Flowiseai Flowise
CVE-2025-34267Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
3.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents arbitrary JavaScript execution by requiring validation and sanitization of the user-provided mcpServerConfig string before passing it to the Function() constructor.

prevent

Mitigates the vulnerability through timely patching to Flowise version 3.0.6, which addresses the insecure parsing and code execution in convertToValidJSONString.

prevent

Enforces restrictions on the mcpServerConfig input to only permit safe, valid configuration data, blocking malicious JavaScript payloads from being processed.

References