CVE-2025-59528
📋 TL;DR
Flowise versions 3.0.5 and below contain a critical remote code execution vulnerability in the CustomMCP node. Attackers can execute arbitrary JavaScript code with full Node.js privileges by manipulating the mcpServerConfig parameter, potentially gaining complete control of affected systems. All Flowise deployments using vulnerable versions are affected.
💻 Affected Systems
- Flowise
📦 What is this software?
Flowise by Flowiseai
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to data theft, service disruption, and unauthorized access to the underlying server and connected systems.
If Mitigated
Limited impact through network segmentation and strict input validation, though risk remains if vulnerable code is accessible.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via crafted input to the mcpServerConfig parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.6
Vendor Advisory: https://github.com/FlowiseAI/Flowise/security/advisories
Restart Required: Yes
Instructions:
1. Stop the Flowise service. 2. Update Flowise to version 3.0.6 or later using npm update or package manager. 3. Restart the Flowise service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable CustomMCP Node
allRemove or disable access to the vulnerable CustomMCP node functionality
Modify Flowise configuration to disable MCP nodes or restrict access
Network Isolation
allRestrict network access to Flowise instances
Configure firewall rules to limit access to trusted IPs only
🧯 If You Can't Patch
- Immediately isolate affected systems from the internet and sensitive networks
- Implement strict input validation and sanitization for all user-provided configuration data
🔍 How to Verify
Check if Vulnerable:
Check Flowise version in package.json or via npm list flowise. Versions <=3.0.5 are vulnerable.Check Version:
npm list flowise | grep flowiseVerify Fix Applied:
Confirm version is 3.0.6 or later and test that malicious input to mcpServerConfig parameter is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution patterns
- Suspicious child_process or fs module usage
- Abnormal MCP server configuration attempts
Network Indicators:
- Unexpected outbound connections from Flowise server
- Suspicious payloads in HTTP requests to Flowise API endpoints
SIEM Query:
source="flowise" AND (mcpServerConfig CONTAINS "Function" OR mcpServerConfig CONTAINS "child_process" OR mcpServerConfig CONTAINS "fs")🔗 References
- https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132
- https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220
- https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270
- https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78
- https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5
- https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94
- https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p
