Get tailored security recommendations from our analyst team for CVE-2025-59528. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

0.0

/10

Not Available

Base Score Metrics

Exploitability: N/A Impact: N/A

Attack Vector Metrics

Attack Vector

Not Available

Attack Complexity

Not Available

Privileges Required

Not Available

User Interaction

Not Available

Scope

Not Available

Impact Metrics

Confidentiality

Not Available

Integrity

Not Available

Availability

Not Available

Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Unknown Vendor

Unknown Product

Published: Unknown

Last Modified: Unknown

Copied to clipboard!

CVE-2025-59528

Expert Analysis

CVSS Score

Attack Vector Metrics

Impact Metrics

Description

Available Exploits

Related News

Affected Products

Unknown Product

Request Analysis

What to expect

Request Received!