CVE-2025-59528: Flowise has Remote Code Execution vulnerability
10
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| flowise | npm | = 3.0.5 | 3.0.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability exists in the CustomMCP component of Flowise, where user-provided configuration for an MCP server is parsed insecurely. The root cause is the convertToValidJSONString function in packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts. This function used the Function() constructor to parse the mcpServerConfig string, which is a known security risk as it executes the string as JavaScript code. An attacker can provide a malicious JavaScript payload in the mcpServerConfig parameter, which will then be executed by the Node.js runtime with the server's privileges. This allows for a full remote code execution (RCE) vulnerability.
The patch, identified in commit 4af067a444a579f260d99e8c8eb0ae3d5d9b811a, replaces the insecure Function('return ' + inputString)() call with JSON5.parse(inputString). This change ensures that the input is treated as data (JSON) and not as executable code, effectively mitigating the RCE vulnerability.
The analysis identified two key functions:
convertToValidJSONString: This is the function with the core vulnerability, where the code injection occurs.CustomMCP.loadMethods: This is the function that receives the tainted input from the user and passes it to the vulnerable function, making it a critical part of the exploit chain and a key indicator in a runtime profile.
Vulnerable functions
convertToValidJSONStringpackages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts
CustomMCP.loadMethodspackages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts