A recently disclosed vulnerability in Flowise versions below 3.0.5 exposes organizations to a serious risk: remote code execution (RCE) through an internal API path that isn’t properly secured.
The issue has been assigned CVE‑2025‑59528.
While Flowise is widely used for building LLM workflows, its backend exposes a few high‑privilege methods that weren’t designed to be reachable by ordinary authenticated users. One of these methods makes it possible to slip in arbitrary JavaScript and trigger OS‑level commands on the host system.
How the Vulnerability Happens
To exploit the flaw, an attacker only needs:
- A valid Flowise user account
- Network access to the Flowise server
- A crafted payload delivered through the /api/v1/node-load-method/customMCP endpoint
The vulnerability stems from how Flowise loads and executes “custom MCP server configurations.” The API fails to properly sanitize the input passed into mcpServerConfig which ends up being processed by Node.js directly.
The result?
Injected code runs on the server with the same privileges as the Flowise process.
What the Exploit Does
The exploit uses two simple steps:
1. Log in using valid credentials
The script authenticates using the /api/v1/auth/login endpoint. Once authenticated, it carries the active session forward.
2. Send a malicious payload disguised as MCP configuration
Inside the request body, the exploit hides a JavaScript function that loads the child_process module and executes system commands.
Because Flowise evaluates this input without sandboxing, the attacker gains direct command execution.
Once exploited, any system command from whoami to downloading malware can be run silently.
Why This Matters
RCE flaws in workflow automation tools like Flowise are particularly dangerous because:
- They run on powerful servers
- They often integrate with other internal systems
- They store API keys and credentials
- They may have network access to sensitive infrastructure
This creates a perfect opening for lateral movement or data exfiltration.
Affected Versions
- All Flowise versions below 3.0.5
- Fixed in: Flowise 3.0.5
If your system is still running an older version, upgrade immediately.
Mitigation Steps
- Update to Flowise 3.0.5 or later
- Restrict access to the Flowise admin panel
- Rotate any credentials stored in Flowise
- Review server logs for suspicious POST requests to /customMCP
This vulnerability is a strong reminder that even well‑engineered AI tools can expose serious security gaps. As LLM‑driven applications grow in popularity, attackers are paying more attention to the infrastructure behind them.
If Flowise is part of your stack, patching now should be a top priority.