CVE-2025-59528
Flowise has Remote Code Execution vulnerability
Description
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.
INFO
Published Date :
Sept. 22, 2025, 8:15 p.m.
Last Modified :
Sept. 23, 2025, 4:45 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update Flowise to version 3.0.6.
- Apply any available security patches promptly.
- Review input validation for custom nodes.
Public PoC/Exploit Available at Github
CVE-2025-59528 has a 29 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-59528.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-59528 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-59528
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Hack The Box - Silentium machine writeup | CVE-2025-58434, CVE-2025-59528, CVE-2025-8110
None
Python
Sandbox Escape + Native Node.js Reverse Shell (Bypassing the Absence of Bash)
This is just an exploit I've made that takes advantage of two vulnerabilities found in Flowise version 3.0.5.
Python
None
Python
Authenticated Remote Code Execution (RCE) exploit for Flowise AI versions ≤ 3.0.4. Leverages a vulnerability in the /api/v1/node-load-method/customMCP endpoint to execute arbitrary system commands via Node.js child_process.execSync(). Includes full PoC script and remediation steps.
Python
Write-up of challenges by Albinator19
A simple python script to exploit CVE-2025-59528, this an Authenticated RCE vulnerability in Flowise application, a popular AI tool. That is also used in HTB seasonal challenge. The issue is present in version <= 3.0.5, for more details: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p
Python
A curated collection of AI-assisted exploit scripts developed during penetration testing engagements, red team operations, and CTF competitions.
ai ai-generated ctf cve exploits penetration-testing pentesting red-team red-teaming
Python
CVE-2025-58434 Flowise <= 3.0.5 and earlier allows account takeover via unauthenticated forgot-password token. CVE-2025-59528 lowiseAI Custom MCP Node Remote Code Execution.
Python
CVE-2025-59528 Proof of Concept
Python
CVE-2025-59528 - FlowiseAI CustomMCP Remote Code Execution
Python
Combined PoC for CVE-2025-28434 and CVE-2025-59528
cve-exploit cybersecurity poc remote-code-execution vulnerability-scanner
Python
RCE exploit for Gogs <= 0.13.3
Python
Exploitation Silentium HTB-CTF
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-59528 vulnerability anywhere in the article.
-
The Hacker News
⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-s ... Read more
-
Daily CyberSecurity
The CVE Watchtower: Weekly Threat Intelligence Briefing (April 6 – April 12, 2026)
Welcome to this week’s vulnerability digest. As we close out the first full week of April, security teams are faced with a challenging landscape of critical zero-days, active exploitations, and severe ... Read more
-
The Cyber Express
ClickFix macOS Attack Uses Script Editor to Bypass Security Controls
A newly identified ClickFix-style macOS attack demonstrates how threat actors are refining their techniques to evade security defenses. The campaign moves away from the traditional reliance on Termina ... Read more
-
TheCyberThrone
OpenSSL 3.6.2: The Moderate Severity Wave
OpenSSL 3.6.2 landed this week carrying eight CVE fixes, with the project rating the most severe issue as Moderate. On the surface, that sounds reassuring—no critical exploits, no ransomware-grade zer ... Read more
-
The Cyber Express
Critical Flowise RCE Vulnerability Actively Exploited, Thousands of Systems at Risk
A critical Flowise RCE vulnerability is now being actively exploited. The flaw, tracked as CVE-2025-59528, carries a maximum severity rating and enables attackers to execute arbitrary code on affected ... Read more
-
TheCyberThrone
CVE-2025-59528: Flowise CustomMCP Code Injection RCE
April 7, 2026Status: Actively exploited | CVSS: 10.0 (Critical) | EPSS: 99.25% | Exposure: 12,000+ internet-facing instancesVulnerability SummaryCVE-2025-59528 affects Flowise, a drag & drop interface ... Read more
-
CybersecurityNews
Flowise AI Agent Builder Injection Vulnerability Exploited in Attacks, 15,000+ Instances Exposed
Threat actors are actively exploiting a maximum-severity remote code execution (RCE) vulnerability in Flowise, an open-source platform used for building AI agents and customized large language model w ... Read more
-
The Hacker News
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck. The vulnerability in question ... Read more
The following table lists the changes that have been made to the
CVE-2025-59528 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Sep. 23, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:flowiseai:flowise:3.0.5:*:*:*:*:*:*:* Added Reference Type GitHub, Inc.: https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132 Types: Product Added Reference Type GitHub, Inc.: https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220 Types: Product Added Reference Type GitHub, Inc.: https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270 Types: Product Added Reference Type GitHub, Inc.: https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78 Types: Product Added Reference Type GitHub, Inc.: https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5 Types: Product Added Reference Type GitHub, Inc.: https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94 Types: Product Added Reference Type GitHub, Inc.: https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6 Types: Release Notes Added Reference Type GitHub, Inc.: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p Types: Exploit, Vendor Advisory -
New CVE Received by [email protected]
Sep. 22, 2025
Action Type Old Value New Value Added Description Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-94 Added Reference https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132 Added Reference https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220 Added Reference https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270 Added Reference https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78 Added Reference https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5 Added Reference https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94 Added Reference https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6 Added Reference https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p