CVE-2025-59528

CRITICAL

CVSS v3

10

CRITICAL

EPSS Score

83.0%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

Technical Details

Published
9/22/2025
Exploit-DB
EDB-52440

Frequently Asked Questions

What is CVE-2025-59528?

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

Is CVE-2025-59528 actively exploited?

Active exploitation of CVE-2025-59528 has not been confirmed. The EPSS score is 83.0%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2025-59528?

CVE-2025-59528 has a CVSS v3 base score of 10 (CRITICAL severity).

Is CVE-2025-59528 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.