10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59528

GHSA ID

GHSA-3gcm-f6qx-ff7p

EPSS Score

CWE

CWE-94

Published

9/15/2025

Updated

9/22/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59528

CVE-2025-59528: Flowise has Remote Code Execution vulnerability

Description

Cause of the Vulnerability

The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation.

Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs.

Vulnerability Flow

User Input Received: Input is provided via the API endpoint /api/v1/node-load-method/customMCP through the mcpServerConfig parameter.
Variable Substitution: The substituteVariablesInString function replaces template variables like $vars.xxx, but no security filtering is applied during this step.
Dangerous Code Execution: The convertToValidJSONString function executes the input using Function('return ' + inputString)(). If the inputString contains malicious code, it gets executed in the global Node.js context, allowing actions such as command execution and file system access.

Taint Flow

Taint 01: Route Registration
index.ts (Line 5)
Taint 02: Controller
index.ts (Line 57–78)
Taint 03: Service
index.ts (Line 91–94)
Taint 04: CustomMCP Node Entry Point
CustomMCP.ts (Line 132)
Taint 05: Variable Substitution
CustomMCP.ts (Line 220)
Taint 06: Dangerous Constructor Execution
CustomMCP.ts (Line 262–270)

Proof of Concept (PoC)

curl -X POST http://localhost:3000/api/v1/node-load-method/customMCP \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer tmY1fIjgqZ6-nWUuZ9G7VzDtlsOiSZlDZjFSxZrDd0Q" \
  -d '{
    "loadMethod": "listActions",
    "inputs": {
      "mcpServerConfig": "({x:(function(){const cp = process.mainModule.require(\"child_process\");cp.execSync(\"echo !!RCE-OK!! >/tmp/RCE.txt\");return 1;})()})"
    }
  }'

When executed, this creates a file /tmp/RCE.txt on the server, confirming command execution.

Impact

Complete System Takeover and Infrastructure Threat

This vulnerability allows attackers to execute arbitrary JavaScript code on the Flowise server, leading to:

Full system compromise
File system access
Command execution
Sensitive data exfiltration

As only an API token is required, this poses an extreme security risk to business continuity and customer data.

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59528

GHSA ID

GHSA-3gcm-f6qx-ff7p

EPSS Score

CWE

CWE-94

Published

9/15/2025

Updated

9/22/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
flowise	npm	= 3.0.5	3.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the CustomMCP component of Flowise, where user-provided configuration for an MCP server is parsed insecurely. The root cause is the convertToValidJSONString function in packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts. This function used the Function() constructor to parse the mcpServerConfig string, which is a known security risk as it executes the string as JavaScript code. An attacker can provide a malicious JavaScript payload in the mcpServerConfig parameter, which will then be executed by the Node.js runtime with the server's privileges. This allows for a full remote code execution (RCE) vulnerability.

The patch, identified in commit 4af067a444a579f260d99e8c8eb0ae3d5d9b811a, replaces the insecure Function('return ' + inputString)() call with JSON5.parse(inputString). This change ensures that the input is treated as data (JSON) and not as executable code, effectively mitigating the RCE vulnerability.

The analysis identified two key functions:

convertToValidJSONString: This is the function with the core vulnerability, where the code injection occurs.
CustomMCP.loadMethods: This is the function that receives the tainted input from the user and passes it to the vulnerable function, making it a critical part of the exploit chain and a key indicator in a runtime profile.

Vulnerable functions

convertToValidJSONString

packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts

The function `convertToValidJSONString` is vulnerable because it uses the `Function()` constructor to evaluate a user-provided string (`inputString`). This allows an attacker to inject and execute arbitrary JavaScript code on the server, leading to remote code execution. The patch replaces the dangerous `Function()` constructor with the safer `JSON5.parse()` method.

CustomMCP.loadMethods

packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts

This method is the entry point for the vulnerability within the `CustomMCP` node. It retrieves the user-controlled `mcpServerConfig` input and passes it to the `convertToValidJSONString` function, which then executes it as code. Any exploit targeting this vulnerability will have `CustomMCP.loadMethods` in its call stack, as it's responsible for processing the malicious payload.

WAF Protection Rules

WAF Rule

## **s*ription ### **us* o* t** Vuln*r**ility T** `*ustomM*P` no** *llows us*rs to input *on*i*ur*tion s*ttin*s *or *onn**tin* to *n *xt*rn*l M*P (Mo**l *ont*xt Proto*ol) s*rv*r. T*is no** p*rs*s t** us*r-provi*** `m*pS*rv*r*on*i*` strin* to *uil*

Reasoning

T** vuln*r**ility *xists in t** `*ustomM*P` *ompon*nt o* *lowis*, w**r* us*r-provi*** *on*i*ur*tion *or *n M*P s*rv*r is p*rs** ins**ur*ly. T** root **us* is t** `*onv*rtToV*li*JSONStrin*` *un*tion in `p**k***s/*ompon*nts/no**s/tools/M*P/*ustomM*P/*u

10

Basic Information

Concerned about an active attack path?

CVE-2025-59528: Flowise has Remote Code Execution vulnerability

Description

Cause of the Vulnerability

Vulnerability Flow

Taint Flow

Proof of Concept (PoC)

Impact

Complete System Takeover and Infrastructure Threat

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI