Flowise AI agent builder CustomMCP RCE (CVE-2025-59528)
Disclosed vulnerability22 Sep 2025Flowise is a popular open-source drag-and-drop builder for LLM apps and AI agents. CVE-2025-59528 (GitHub advisory GHSA-3gcm-f6qx-ff7p, reported by researcher @im-soohyun on 13 Sep 2025, NVD-published 22 Sep 2025) is a critical code-injection / RCE rated CVSS 10.0 (CWE-94). The defect is in the CustomMCP node, which lets users supply configuration for connecting to an external Model Context Protocol (MCP) server. Inside the convertToValidJSONString routine, the user-controlled mcpServerConfig value is reportedly passed directly to JavaScript's Function() constructor, which evaluates and runs it with full Node.js privileges — giving an attacker access to dangerous modules such as child_process and fs and thus full host compromise, arbitrary command execution and data theft. Exploitation reportedly needs only an API token (per the advisory's CVSS vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Affected versions are reportedly >=2.2.7-patch.1 and <3.0.6; the fix landed in 3.0.6. The vulnerability gained renewed attention on/around 7 Apr 2026 when, per The Hacker News and Security Affairs, VulnCheck reported the first in-the-wild exploitation attempts (initially traced to a single Starlink IP) against an estimated 12,000–15,000 publicly exposed Flowise instances, with public PoC code available and a reported EPSS near 84% — landing it on CISA's Known Exploited Vulnerabilities list. (Payloads here are illustrative, not operational; figures attributed to the cited reporting.) The core failure is unsafe execution of attacker-controlled input that arrives through an AI-agent tool/connector (the MCP config node) — i.e. a tool-/connector-mediated RCE in agentic AI tooling.
Risks it illustrates
Sources
- NVD — CVE-2025-59528 ↗
- GitHub Security Advisory GHSA-3gcm-f6qx-ff7p — Flowise has Remote Code Execution vulnerability ↗
- Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed — The Hacker News (Apr 2026) ↗
- Attackers exploit critical Flowise flaw CVE-2025-59528 for remote code execution — Security Affairs (7 Apr 2026) ↗
- Critical Remote Code Execution Vulnerability in Flowise AI: CVE-2025-59528 — Aviatrix Threat Research Center ↗
Practise the risk class — related scenarios
Interactive simulations of the risk class this case illustrates (not a re-enactment of this specific event).
A text-to-SQL agent runs the model's output straight at the database
Compromise the pipeline that builds agents, and every new worker is born malicious
A fake Sentry error report hijacks a developer's coding agent into running a shell command
A cost-saving open-weights swap quietly ships a model with its safety surgically removed
A capable third-party model that behaves perfectly — until it sees the trigger
A trusted MCP email tool quietly BCCs every message to an attacker