CVE-2025-59528 is a critical remote code execution (RCE) vulnerability affecting FlowiseAI's Flowise product, specifically version 3.0.5. Flowise is a drag-and-drop interface designed to build customized large language model flows. The vulnerability resides in the CustomMCP node, which allows users to input configuration settings for connecting to an external MCP server. The issue arises because the node processes the user-supplied mcpServerConfig string by passing it directly to the JavaScript Function() constructor inside the convertToValidJSONString function without any security validation or sanitization. This means that arbitrary JavaScript code embedded in the input is executed with full Node.js runtime privileges. Since Node.js has access to powerful modules such as child_process and fs, an attacker can execute arbitrary system commands, read or write files, and potentially take full control of the host system. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code, i.e., Code Injection). The CVSS v3.1 score is 10.0 (critical), reflecting its ease of exploitation (network attack vector, no privileges or user interaction required) and its severe impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the vulnerability was publicly disclosed on 2025-09-22 and patched in Flowise version 3.0.6. Organizations running version 3.0.5 or earlier are at immediate risk if their Flowise instances are exposed to untrusted users or networks. Attackers could leverage this flaw to fully compromise affected systems, steal sensitive data, disrupt services, or pivot within internal networks.

For European organizations, the impact of this vulnerability can be severe, especially for those using Flowise in production environments for AI workflow orchestration. Successful exploitation can lead to full system compromise, allowing attackers to exfiltrate sensitive data, disrupt AI services, or use compromised hosts as footholds for further attacks. This is particularly critical for sectors relying on AI-driven decision-making or data processing, such as finance, healthcare, manufacturing, and government agencies. The ability to execute arbitrary code remotely without authentication means that any exposed Flowise instance is a high-value target. Additionally, the compromise of AI workflows could undermine trust in automated processes and lead to regulatory and compliance issues under GDPR and other European data protection laws. The critical severity and network-exploitable nature of this vulnerability necessitate immediate attention to prevent potential data breaches and operational disruptions.

1. Immediate upgrade: Organizations should promptly update Flowise to version 3.0.6 or later, where this vulnerability is patched. 2. Network segmentation: Restrict access to Flowise management interfaces to trusted internal networks or VPNs to minimize exposure to untrusted actors. 3. Input validation: Although the patch addresses the root cause, additional input validation and sanitization should be implemented to prevent arbitrary code execution. 4. Monitoring and detection: Deploy monitoring solutions to detect anomalous behavior on hosts running Flowise, such as unexpected child process creation or unusual file system access. 5. Access controls: Enforce strict access controls and authentication mechanisms around Flowise interfaces to reduce the risk of unauthorized configuration changes. 6. Incident response readiness: Prepare incident response plans to quickly isolate and remediate compromised systems if exploitation is suspected. 7. Vendor communication: Stay informed via FlowiseAI security advisories for any further updates or mitigations.