CVSS 10.0 RCE in Flowise CustomMCP Node Exposes 12,000+ Instances
Contents
A CVSS 10.0 (maximum score) remote code execution (RCE) vulnerability has been found in Flowise, an open-source platform for building AI agent workflows with a no-code interface. Tracked as CVE-2025-59528, the vulnerability was disclosed and patched in September 2025, but VulnCheck’s research has confirmed active exploitation in the wild, with over 12,000 instances still exposed to the internet.
When it comes to MCP server vulnerabilities, the scan of 50 open-source MCP servers previously reported widespread issues with missing input validation and command injection. The Flowise vulnerability is a textbook example of this pattern: user-supplied MCP server configuration values reach code execution with zero validation.
How the Vulnerability Works
Flowise has a feature called the CustomMCP node. Users enter configuration for connecting to an external MCP (Model Context Protocol) server, and Flowise parses that configuration to establish communication with the MCP server.
The problem was in how the configuration string was parsed. In the convertToValidJSONString function in CustomMCP.ts (lines 262-270), the user-supplied mcpServerConfig string was parsed using JavaScript’s Function() constructor instead of JSON.parse().
Function('return ' + inputString)()The Function() constructor is functionally equivalent to eval() — it executes the passed string as JavaScript code. This means a string intended as JSON configuration runs as arbitrary JavaScript. Since it executes with full Node.js runtime privileges, it has access to dangerous modules like child_process (OS command execution) and fs (filesystem operations).
Why Function() and eval() Are Dangerous
JavaScript has several ways to execute strings as code.
| Method | Behavior | Risk |
|---|---|---|
JSON.parse() | Parses JSON data only. No code execution | Safe |
JSON5.parse() | Parses JSON5 format. No code execution | Safe |
eval() | Executes string as JavaScript code | Arbitrary code execution |
Function() | Creates and executes a function from string. Equivalent to eval() | Arbitrary code execution |
new vm.Script() | Executes code in a V8 context. Sandboxing is limited | Dangerous depending on configuration |
The fix replaced Function() with JSON5.parse(). JSON5 is a strict data format parser compatible with JSON that allows extended syntax like comments and trailing commas, while performing no code execution whatsoever.
Attack Chain
Here’s how an attacker exploits this vulnerability.
graph TD
A[Attacker] -->|Send POST request| B["/api/v1/node-load-method/customMCP"]
B -->|mcpServerConfig parameter| C["Controller<br/>getSingleNodeAsyncOptions"]
C -->|Variable substitution line 220<br/>No filtering| D["Service layer"]
D -->|Pass string| E["convertToValidJSONString<br/>lines 262-270"]
E -->|"Function('return ' + input)()"| F["Arbitrary JavaScript execution"]
F --> G["child_process.execSync<br/>OS command execution"]
F --> H["fs module<br/>File read/write"]
F --> I["process.env<br/>Environment variable and credential theft"]The attack payload wraps an IIFE (Immediately Invoked Function Expression) in an object literal.
({x:(function(){ require('child_process').execSync('id') })()})When this string is passed to Function('return ' + ...)(), it gets evaluated and executed as return ({x:(function(){...})()}). A single HTTP POST request is all it takes, making the attack complexity extremely low.
The Authentication Problem
Flowise’s API operates without authentication by default. API key configuration is optional, and instances without it configured are completely open to unauthenticated attacks. The PR:N (no privileges required) in the CVSS vector reflects this.
CVSS Vector Breakdown
Looking at the breakdown of the CVSS 10.0 maximum score reveals why this is so severe.
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely |
| Attack Complexity (AC) | Low | No special conditions required |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No victim action required |
| Scope (S) | Changed | Impact extends beyond Flowise to other systems |
| Confidentiality (C) | High | Full data disclosure possible |
| Integrity (I) | High | Arbitrary data modification possible |
| Availability (A) | High | Service disruption possible |
The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The CWE classification is CWE-94 (Improper Control of Generation of Code, Code Injection).
12,000+ Instances Exposed
According to VulnCheck’s research, over 12,000 Flowise instances are directly exposed to the internet. For attackers, it’s a target-rich environment.
Active exploitation has been confirmed. VulnCheck reports that attack traffic originated from a single Starlink IP address. Observed post-compromise activities include:
- System reconnaissance via
id,whoami, andhostnamecommands - Environment variable collection (API keys and database credential theft)
- Reverse shell establishment using netcat and Python
- Lateral movement using stolen cloud credentials to compromise other systems in the network
- Exfiltration of AI configuration files and conversation logs
The EPSS (Exploit Prediction Scoring System) score is 84.07%, placing it at the 99.28th percentile. An 84% probability of exploitation within 30 days confirms this vulnerability is not a theoretical risk but an actively exploited threat. As of April 2026, it has not yet been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog.
Similarity to n8n Vulnerabilities
The pattern of expression evaluation leading directly to RCE in workflow automation tools was also seen in n8n’s multiple RCE vulnerabilities. n8n’s CVE-2025-68613 (CVSS 9.9) has been added to CISA KEV, with over 24,700 instances exposed.
The common thread is the danger of designs that evaluate user input as code. In n8n, expression evaluation through a vm2 sandbox was bypassed. In Flowise, the Function() constructor was used instead of JSON parsing. Both are low-code/no-code AI and automation tools where the ability to “let users write free-form configuration” became the attack surface.
Affected Versions and Mitigation
| Item | Details |
|---|---|
| Affected versions | 2.2.7-patch.1 and above, below 3.0.6 |
| Fixed version | 3.0.6 |
| Discovered by | Kim SooHyun (@im-soohyun) |
| Advisory published | September 13, 2025 (GitHub) |
| NVD published | September 22, 2025 |
Updating to 3.0.6 is the top priority. Additional recommended mitigations:
- Enable API authentication — Always configure an API key or Bearer token. Do not operate with the default unauthenticated state
- Restrict network access — Do not expose Flowise directly to the internet. Limit access to internal networks via VPN or reverse proxy
- Monitor HTTP logs — Watch for POST request bodies containing
process.mainModule,child_process,require,execSync, orFunction - Egress filtering — Detect and block unauthorized outbound connections
Over half a year has passed since the patch was released, yet 12,000+ instances remain unpatched and exposed. If you’re running a self-hosted AI platform like Flowise, check your version now.