CVE-2025-59528
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.
Analysis
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process.
Technical Context
The CustomMCP node allows users to configure connections to external MCP (Model Context Protocol) servers. The mcpServerConfig string is parsed and used to construct a command-line invocation to spawn the MCP server process. The parser fails to sanitize shell metacharacters in the configuration values, allowing injection of arbitrary commands that execute when the MCP server is started.
Affected Products
['Flowise 3.0.5', 'Flowise < 3.0.1 (also affected)']
Remediation
Update to Flowise 3.0.6 or later. Enable authentication on Flowise instances. Validate and sanitize mcpServerConfig inputs using an allowlist of permitted commands. Run Flowise in a container with restricted filesystem and network access.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today