Flowise — CVSS 10.0 CustomMCP RCE enables full server compromise (CVE-2025-59528)

Flowise — CVSS 10.0 CustomMCP RCE enables full server compromise (CVE-2025-59528)

AI relevance: Flowise is a widely deployed low-code AI agent builder (43K+ GitHub stars, used by Deloitte, Accenture, AWS) whose CustomMCP node passed user-supplied MCP server configuration directly into JavaScript's Function() constructor — giving unauthenticated attackers full Node.js runtime access, including API keys, LLM provider credentials, and connected vector databases.

• CVE-2025-59528 (CVSS 10.0) is an unauthenticated code injection in Flowise's CustomMCP node, which allows users to configure external Model Context Protocol servers
• The /api/v1/node-load-method/customMcp endpoint accepted a POST request with an mcpServerConfig parameter and evaluated it via JavaScript's Function() constructor — effectively eval() for user input
• Exploitation grants full Node.js runtime privileges: child_process for OS command execution, fs for unrestricted file access, and access to all LLM API keys and database credentials stored on the host
• Active exploitation detected by VulnCheck in April 2026 — more than six months after the patch shipped in Flowise v3.0.6 (September 2025) — from a single Starlink IP conducting opportunistic scanning
• Between 12,000 and 15,000 Flowise instances are publicly exposed on the internet per scanning infrastructure data
• This is the third Flowise vulnerability exploited in the wild within 12 months, following CVE-2025-26319 (CVSS 8.9, arbitrary file upload) and CVE-2025-8943 (CVSS 9.8, unauthenticated OS command injection)
• The fix replaced Function() with JSON5.parse() — treating the input as data rather than executable code
• Cloud Security Alliance published this analysis as a research note, flagging MCP protocol integration as a recurring attack surface across AI developer tooling

Why It Matters

A compromised Flowise instance is not an isolated endpoint — it is a gateway into broader AI infrastructure. Flowise deployments typically hold API keys for OpenAI, Anthropic, and Google; credentials for connected vector stores; and configuration for RAG pipelines feeding internal data. The six-month exploitation gap after patching reflects a broader pattern: AI developer tools provisioned for experimentation are routinely excluded from organizational vulnerability management programs. CVE-2025-59528 also reinforces the CSA's observation that MCP integration points are becoming a repeatable attack vector across the AI tooling ecosystem — from nginx-ui (CVE-2026-33032) to Flowise to the broader MCP server landscape.

What To Do

• Patch immediately — upgrade to Flowise v3.1.1 or, at minimum, v3.0.6
• Scan for exposed instances — Shodan and Censys queries for Flowise's default ports and HTTP fingerprints will identify internet-facing deployments
• Audit access logs — look for unauthenticated POST requests to /api/v1/node-load-method/customMcp and unexpected outbound connections from your Flowise host
• Rotate all credentials on any Flowise instance that was unpatched before April 2026 — LLM API keys, database passwords, and connected service tokens should all be considered compromised
• Network-segment AI developer tools — Flowise, LangFlow, and similar platforms should not be internet-facing; treat them as internal infrastructure with strict access controls
• Include AI tooling in vulnerability management — sandbox and prototype deployments are as attractive to attackers as production systems holding equivalent credentials

Sources:

• CSA AI Safety Initiative — Flowise CVSS 10.0 RCE Research Note
• Flowise Security Advisory — CVE-2025-59528
• NVD — CVE-2025-59528
• CyberNews — Axios Second Critical Vulnerability (CVE-2026-40175)