FlowiseAI, Code Injection, CVE-2025-59528 (Critical)

Listen to this Post

The vulnerability resides in the `CustomMCP` node, which is designed to connect to external Model Context Protocol (MCP) servers. When a user adds a new MCP server via the “Custom MCP” configuration at http://localhost:3000/canvas`, they can specify a "stdio" server. The flaw is in the unsafe evaluation of user-supplied input in the `mcpServerConfig` setting. Although the code includes sanitization functions like `validateCommandInjection` and `validateArgsForLocalFileAccess` alongside a list of predefined "safe" commands, these protections are insufficient. An attacker can bypass them by using an allowed command, such asnpx, and combining it with malicious arguments. For example, the `-c` argument allows `npx` to execute arbitrary system commands, liketouch /tmp/pwn. The unsafe evaluation occurs because the server does not properly validate the combination of a command and its arguments. This allows an attacker to inject arbitrary JavaScript code, which is then executed by the server, leading to remote code execution (RCE). The vulnerable code paths can be found in the `core.ts` file at lines 223, 177, and 269. The exploitation is authenticated, meaning the attacker must have valid credentials to access the `/canvas` endpoint. However, once authenticated, the attacker can achieve full command execution on the underlying operating system. This vulnerability is tracked as CVE-2025-59528 and has a CVSS score of 10.0, indicating critical severity. Active exploitation has been detected in the wild.
Platform: FlowiseAI
Version: before 3.0.6
Vulnerability : Code Injection
Severity: Critical
date: 2026-04-16
<h2 style="color: blue;">Prediction: September 2025</h2>
<h2 style="color: blue;">Analytics under What Undercode Say:</h2>

Proof-of-concept command injection
curl -X POST http://localhost:3000/api/v1/node-load-method/customMCP \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <your_jwt_token>" \
-d '{
"mcpServerConfig": {
"command": "npx",
"args": ["-c", "touch /tmp/pwn"]
}
}'

<h2 style="color: blue;">Exploit:</h2>
<h2 style="color: blue;">1. Authenticate to the FlowiseAI instance.</h2>
2. Navigate to the Custom MCP configuration page (
/canvas).
3. Create a new MCP server with the type "stdio".
4. Set the command to `npx` and the arguments to `-c` and a malicious system command (e.g.,
id > /tmp/exploit`).
5. Save the configuration. The server will execute the injected command.

Protection from this CVE

Upgrade to FlowiseAI version 3.0.6 or later. If upgrading is not immediately possible, restrict network access to the FlowiseAI instance and enforce strict input validation on the `mcpServerConfig` parameter, disallowing the use of `npx` with the `-c` flag.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the host operating system, leading to full system compromise, data exfiltration, and further lateral movement within the network.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top