CVE-2025-59528

CRITICAL EXPLOITED NUCLEI LAB

Flowise 3.0.5 - Remote Code Execution via CustomMCP Node Configuration Parsing

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-59528 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 21 public exploits from researchers including nltt0, secopssite, AzureADTrent, including a Metasploit module exploits/multi/http/flowise_js_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an authenticated RCE vulnerability in Flowise < 3.0.5 by injecting a malicious payload into the `customMCP` API endpoint, which executes arbitrary commands via Node.js `child_process.execSync`.

Description

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.

Exploits (21)

exploitdb WORKING POC
by nltt0 · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52440

This exploit leverages an authenticated RCE vulnerability in Flowise < 3.0.5 by injecting a malicious payload into the `customMCP` API endpoint, which executes arbitrary commands via Node.js `child_process.execSync`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise < 3.0.5
Auth required
Prerequisites: Valid user credentials · Access to the target API endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 9 stars
by secopssite · poc
https://github.com/secopssite/HTB

This repository contains a detailed technical writeup for CVE-2025-59528, focusing on a prototype pollution vulnerability in a Node.js application. It includes a step-by-step analysis of the vulnerability, exploitation steps, and patching guidance.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: AgriWeb (Node.js farming dashboard application)
Auth required
Prerequisites: access to the target application · valid user credentials
devstral-2 · analyzed Apr 13, 2026 Full analysis →
github WORKING POC 2 stars
by AzureADTrent · pythonremote-auth
https://github.com/AzureADTrent/CVE-2025-58434-59528

This repository contains a functional exploit chain for CVE-2025-58434 (unauthenticated account takeover via password reset token disclosure) and CVE-2025-59528 (authenticated RCE via CustomMCP node JS injection) in Flowise <= 3.0.5. The Python script automates the full attack chain, including password reset, API key retrieval, and command execution or reverse shell setup.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise <= 3.0.5
No auth needed
Prerequisites: valid email address of a target account · network access to the Flowise instance
devstral-2 · analyzed May 01, 2026 Full analysis →
github WORKING POC 1 stars
by 0xDaeras · pythonpoc
https://github.com/0xDaeras/Flowise-CVE-2025-58434-Chain-59528

This repository contains a functional Python exploit for chaining CVE-2025-58434 (account takeover via password reset token exposure) and CVE-2025-59528 (RCE via unsafe JavaScript evaluation in Flowise's CustomMCP node). The exploit includes full attack flow automation, from vulnerability checks to authenticated RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise 3.0.5
Auth required
Prerequisites: valid user email · target Flowise instance · network access to target
devstral-2 · analyzed May 17, 2026 Full analysis →
github WORKING POC 1 stars
by 0xDaeras · pythonremote
https://github.com/0xDaeras/FlowiseAI-CVE-Chain-PoC

This repository contains a functional Python exploit for chaining two Flowise vulnerabilities: CVE-2025-58434 (account takeover via exposed password reset tokens) and CVE-2025-59528 (RCE via unsafe JavaScript evaluation in the CustomMCP node). The exploit includes full attack chain automation, from vulnerability checks to authenticated RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise 3.0.5
Auth required
Prerequisites: valid user email address · network access to target · listener for reverse shell
devstral-2 · analyzed May 09, 2026 Full analysis →
nomisec WORKING POC
by Moon-Harvest · remote-auth
https://github.com/Moon-Harvest/CVE-2025-59528

This repository contains a functional Go-based exploit for CVE-2025-59528, which targets a remote code execution vulnerability in Flowise versions <= 3.0.5. The exploit leverages unvalidated JavaScript execution via the `mcpServerConfig` parameter to achieve arbitrary command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise <= 3.0.5
Auth required
Prerequisites: target URL · valid API key · command to execute
devstral-2 · analyzed Jun 09, 2026 Full analysis →
github WRITEUP
by SuriyaBoon · poc
https://github.com/SuriyaBoon/HackTheBox-Silentium

This is a detailed technical writeup for the HackTheBox machine 'Silentium', which chains three CVEs (CVE-2025-58434, CVE-2025-59528, and CVE-2025-8110) to achieve full system compromise. It includes step-by-step exploitation details, code snippets, and technical analysis of each vulnerability.

Classification
Writeup 100%
Attack Type
Rce | Lpe | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Flowise 3.0.5, Gogs
Auth required
Prerequisites: Access to the target network · Basic knowledge of web exploitation and privilege escalation
devstral-2 · analyzed Jun 01, 2026 Full analysis →
github WORKING POC
by corey-farley · pythonremote-auth
https://github.com/corey-farley/CVE-2025-59528-Flowise-RCE

This repository contains a functional Python exploit for CVE-2025-59528, an authenticated RCE vulnerability in Flowise <= 3.0.5 via the CustomMCP Node. The exploit leverages a crafted JSON payload to execute arbitrary system commands through Node.js child_process module.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise <= 3.0.5
Auth required
Prerequisites: valid API key or session token · access to the vulnerable endpoint
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by im-nymii · poc
https://github.com/im-nymii/CVE-2025-59528

This repository contains a functional PoC for CVE-2025-59528, demonstrating RCE in Flowise via JavaScript injection in the `mcpServerConfig` parameter. The exploit leverages `child_process` to execute arbitrary commands on the server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise < 3.0.5
Auth required
Prerequisites: Valid API key · User account on target Flowise instance · Callback listener setup
devstral-2 · analyzed May 17, 2026 Full analysis →
github WORKING POC
by mananispiwpiw · pythonremote-auth
https://github.com/mananispiwpiw/CVE-2025-59528-PoC

This repository contains a functional Python PoC for CVE-2025-59528, which exploits a command injection vulnerability in Flowise via the `/api/v1/node-load-method/customMCP` endpoint. The script authenticates, extracts session tokens, and sends a crafted payload to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise (version not specified)
Auth required
Prerequisites: valid credentials for the target Flowise instance · network access to the target
devstral-2 · analyzed May 01, 2026 Full analysis →
github WORKING POC
by honney336 · pythonpoc
https://github.com/honney336/CVE-2025-58434_CVE-2025-59528

This repository contains a functional exploit script that chains CVE-2025-58434 (account takeover via unauthenticated forgot-password token) and CVE-2025-59528 (RCE in FlowiseAI Custom MCP Node) to achieve remote code execution. The script automates the attack by resetting the password and injecting a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise <= 3.0.5
No auth needed
Prerequisites: valid email associated with a Flowise account · network access to the target · listener setup for reverse shell
devstral-2 · analyzed May 01, 2026 Full analysis →
nomisec WORKING POC
by danhle5402 · remote-auth
https://github.com/danhle5402/CVE-2025-59528

This repository contains a functional exploit for CVE-2025-59528, which chains an account takeover (CVE-2025-58434) with a remote code execution vulnerability in Flowise via a CustomMCP node injection. The exploit includes steps for password reset, API key retrieval, and command execution or reverse shell setup.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise (version <= 3.0.5)
Auth required
Prerequisites: target email address or API key · network access to the target · TLS verification may need to be disabled
devstral-2 · analyzed Apr 16, 2026 Full analysis →
nomisec WORKING POC
by r3nsi15 · remote-auth
https://github.com/r3nsi15/Flowise-RCE-CVE-2025-59528

The repository contains a functional Python-based exploit for CVE-2025-59528, demonstrating authenticated RCE in Flowise AI <= 3.0.4 via JavaScript injection into the customMCP endpoint. The PoC includes authentication, payload delivery, and command execution using Node.js's child_process module.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Flowise AI <= 3.0.4
Auth required
Prerequisites: valid user credentials · network access to Flowise API
devstral-2 · analyzed Apr 15, 2026 Full analysis →
nomisec WORKING POC
by maradonam18 · remote-auth
https://github.com/maradonam18/-CVE-2025-59528-PoC

This repository contains a functional Python script that exploits CVE-2025-59528, an authenticated remote code execution (RCE) vulnerability in FlowiseAI's Flowise application (versions <= 3.0.5). The exploit leverages a vulnerable endpoint to inject and execute arbitrary commands via a crafted JSON payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FlowiseAI Flowise <= 3.0.5
Auth required
Prerequisites: valid API key for authentication · target URL with vulnerable endpoint
devstral-2 · analyzed Apr 15, 2026 Full analysis →
nomisec WORKING POC
by vanhari · remote
https://github.com/vanhari/CVE-2025-59528

The repository contains a functional Python exploit for CVE-2025-59528, targeting Flowise's customMCP node. It leverages unsafe JavaScript evaluation via the Function constructor to achieve remote code execution (RCE) by injecting a reverse shell payload or arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise v3.0.5
Auth required
Prerequisites: valid API key · network access to target
devstral-2 · analyzed Apr 14, 2026 Full analysis →
nomisec WORKING POC
by UsifAraby · remote-auth
https://github.com/UsifAraby/CVE-2025-59528-POC

This repository contains a functional exploit for CVE-2025-59528, a critical RCE vulnerability in FlowiseAI's CustomMCP node. The exploit leverages the unsafe use of JavaScript's Function() constructor to execute arbitrary commands via crafted input to the mcpServerConfig parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FlowiseAI Flowise >= 2.2.7-patch.1 and < 3.0.6
Auth required
Prerequisites: Network access to the Flowise API endpoint (default port 3000) · Valid credentials for authentication (email/password, username/password, or cookie)
devstral-2 · analyzed Apr 13, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote-auth
https://github.com/Kamigold/Flowise-RCE

This repository contains a functional exploit for CVE-2025-59528, demonstrating an account takeover (ATO) followed by remote code execution (RCE) in Flowise versions prior to 3.0.5. The exploit chains password reset abuse with a prototype pollution vulnerability in the `customMCP` endpoint to achieve arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise < 3.0.5
No auth needed
Prerequisites: valid email address of a target user · network access to the Flowise API
devstral-2 · analyzed Jun 06, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/TYehan/CVE-2025-58434-59528

This repository contains a functional exploit chain for CVE-2025-58434 (unauthenticated account takeover via password reset token disclosure) and CVE-2025-59528 (authenticated RCE via CustomMCP node JS injection in Flowise). The Python script automates the full attack chain, including password reset, API key retrieval, and command execution or reverse shell setup.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise <= 3.0.5
No auth needed
Prerequisites: valid email address of a target account · network access to the Flowise instance
devstral-2 · analyzed Apr 21, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/CVETeam/FlowiseAI-Critical-KillChain

This repository contains a functional exploit PoC for CVE-2025-59528, which chains an unauthenticated password reset token disclosure (CVE-2025-58434) with a remote code execution vulnerability in FlowiseAI. The exploit demonstrates a complete kill chain from zero credentials to a root shell inside a Docker container.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FlowiseAI <= 3.0.5
No auth needed
Prerequisites: target IP/hostname · admin email address
devstral-2 · analyzed Apr 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/kartik2005221/CVE-2025-58434-AND-59528-POC

This repository contains a functional exploit PoC for CVE-2025-58434 (account takeover) and CVE-2025-59528 (RCE) in Flowise. The exploit chains both vulnerabilities to achieve unauthenticated RCE via a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise (Cloud and self-hosted versions prior to patch)
No auth needed
Prerequisites: registered email address in Flowise · network access to target Flowise instance
devstral-2 · analyzed Apr 14, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Kim SooHyun (im-soohyun), nltt0 · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/flowise_js_rce.rb

This Metasploit module exploits a JavaScript injection vulnerability in Flowise's customMCP endpoint, allowing arbitrary command execution via the mcpServerConfig parameter. It supports both authenticated and unauthenticated exploitation depending on the target version.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flowise versions >= 2.2.7-patch.1 and < 3.0.6
Auth required
Prerequisites: Network access to the target · Valid credentials for versions >= 3.0.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Flowise - Remote Code Execution
CRITICALVERIFIEDby xtr0nix

References (8)

Core 8
Core References

Scores

CVSS v3 10.0
EPSS 0.8527
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull axllent/mailpit:latest
docker pull flowiseai/flowise:3.0.5
+17 more repos

Details

VulnCheck KEV 2026-04-05
CWE
CWE-94
Status published
Products (2)
flowiseai/flowise 3.0.5
npm/flowise 3.0.5 - 3.0.6npm
Published Sep 22, 2025
Tracked Since Feb 18, 2026