CVE-2025-59528 — AI Deep Analysis Summary

🚨 **Essence**: Flowise 3.0.5 suffers from **Code Injection** in the `CustomMCP` node. 📉 **Consequences**: Attackers can achieve **Remote Code Execution (RCE)** by injecting malicious JavaScript.…

🛡️ **Root Cause**: **CWE-94** (Code Injection). The `convertToValidJSONString` function directly passes user input to the JavaScript `Function()` constructor.…

📦 **Affected**: **Flowise** versions **3.0.5** and likely earlier. 🧩 **Component**: Specifically the **CustomMCP** node used for connecting to external MCP servers. 🏢 **Vendor**: FlowiseAI.

💀 **Privileges**: Attackers gain **full Node.js privileges**. 📂 **Data**: Complete access to the server's file system, environment variables, and network. 🔄 **Impact**: Critical (CVSS High) – total system compromise.

🔓 **Threshold**: **Low**. 🌐 **Access**: Network-accessible (AV:N). 🔑 **Auth**: None required (PR:N/UI:N). ⚙️ **Config**: Exploitation requires the victim to process user input through the vulnerable `CustomMCP` node.

🔍 **Public Exp**: **Yes**. Multiple PoCs are available on GitHub (e.g., `zimshk/CVE-2025-59528.yaml`). 🚀 **Automation**: Nuclei templates are also published, making automated exploitation easy for attackers.

🔎 **Self-Check**: Scan for Flowise instances running version **3.0.5**. 🧪 **Test**: Use the provided YAML PoC to trigger the `Function()` injection via the `CustomMCP` node configuration.…

🛠️ **Fix**: **Yes**. Version **3.0.6** has been released. 📥 **Action**: Upgrade immediately to **Flowise 3.0.6** or later. 🔄 **Patch**: The vendor has addressed the unsafe evaluation in the new release.

🚧 **Workaround**: If you cannot upgrade, **disable or remove** the `CustomMCP` node entirely. 🚫 **Restrict**: Do not allow untrusted users to configure MCP server connections.…

🔥 **Urgency**: **CRITICAL**. 🚨 **Priority**: **P0**. With public PoCs and low exploitation barriers, immediate patching to v3.0.6 is essential to prevent active exploitation and server takeover.