Overview
The Common Vulnerabilities and Exposures system has recently identified a critical vulnerability in Flowise 3.0.5, a popular drag & drop user interface used to build customized large language model flows. The vulnerability, officially designated as CVE-2025-59528, poses a significant risk to the security of any system running the affected version of Flowise. It allows for remote code execution, potentially leading to system compromise, data leakage, and other severe consequences.
Vulnerability Summary
CVE ID: CVE-2025-59528
Severity: Critical (10.0 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Impact: Remote Code Execution leading to potential system compromise or data leakage
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
Flowise | 3.0.5
How the Exploit Works
The vulnerability resides in the CustomMCP node, which allows users to input configuration settings for connecting to an external MCP server. During this process, user-provided input is converted into a JavaScript string without any security validation. This input is then passed directly to the Function() constructor, which evaluates and executes it as JavaScript code. Due to the lack of any security measures, this process runs with full Node.js runtime privileges, allowing it to access potentially dangerous modules such as child_process and fs.
Conceptual Example Code
Below is a conceptual example of how this vulnerability might be exploited:
let mcpServerConfig = `{
"mcpServer": "https://mcpserver.com",
"credentials": "root",
"command": "require('child_process').exec('rm -rf / --no-preserve-root')"
}`;
let malicious_payload = new Function('return ' + mcpServerConfig)();
malicious_payload();
In the above pseudocode, a malicious user can craft a configuration string that includes a command to be executed on the server (in this case, a command to delete all files). This configuration string is then passed to the Function() constructor, which executes the command as JavaScript code with full Node.js runtime privileges. This could lead to catastrophic results, including total system compromise.
Note: The above example is purely conceptual and simplifies the actual process for understanding. Actual exploits may be significantly more complex and vary greatly in their implementation.
