🔍AI RiskAtlas
← Real-world cases

Flowise AI agent builder CustomMCP RCE (CVE-2025-59528)

Disclosed vulnerability22 Sep 2025

Flowise is a popular open-source drag-and-drop builder for LLM apps and AI agents. CVE-2025-59528 (GitHub advisory GHSA-3gcm-f6qx-ff7p, reported by researcher @im-soohyun on 13 Sep 2025, NVD-published 22 Sep 2025) is a critical code-injection / RCE rated CVSS 10.0 (CWE-94). The defect is in the CustomMCP node, which lets users supply configuration for connecting to an external Model Context Protocol (MCP) server. Inside the convertToValidJSONString routine, the user-controlled mcpServerConfig value is reportedly passed directly to JavaScript's Function() constructor, which evaluates and runs it with full Node.js privileges — giving an attacker access to dangerous modules such as child_process and fs and thus full host compromise, arbitrary command execution and data theft. Exploitation reportedly needs only an API token (per the advisory's CVSS vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Affected versions are reportedly >=2.2.7-patch.1 and <3.0.6; the fix landed in 3.0.6. The vulnerability gained renewed attention on/around 7 Apr 2026 when, per The Hacker News and Security Affairs, VulnCheck reported the first in-the-wild exploitation attempts (initially traced to a single Starlink IP) against an estimated 12,000–15,000 publicly exposed Flowise instances, with public PoC code available and a reported EPSS near 84% — landing it on CISA's Known Exploited Vulnerabilities list. (Payloads here are illustrative, not operational; figures attributed to the cited reporting.) The core failure is unsafe execution of attacker-controlled input that arrives through an AI-agent tool/connector (the MCP config node) — i.e. a tool-/connector-mediated RCE in agentic AI tooling.

More cases on Unsafe Tool / Code Execution

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗