Exploits

Flowise 3.0.4 RCE Vulnerability: What You Need to Know

Published  ·  3 min read
Updated on November 16, 2025

A recently disclosed vulnerability in Flowise versions below 3.0.5 exposes organizations to a serious risk: remote code execution (RCE) through an internal API path that isn’t properly secured.
The issue has been assigned CVE‑2025‑59528.

While Flowise is widely used for building LLM workflows, its backend exposes a few high‑privilege methods that weren’t designed to be reachable by ordinary authenticated users. One of these methods makes it possible to slip in arbitrary JavaScript and trigger OS‑level commands on the host system.

How the Vulnerability Happens

To exploit the flaw, an attacker only needs:

  1. A valid Flowise user account
  2. Network access to the Flowise server
  3. A crafted payload delivered through the /api/v1/node-load-method/customMCP endpoint

The vulnerability stems from how Flowise loads and executes “custom MCP server configurations.” The API fails to properly sanitize the input passed into mcpServerConfig which ends up being processed by Node.js directly.

The result?
Injected code runs on the server with the same privileges as the Flowise process.

What the Exploit Does

The exploit uses two simple steps:

1. Log in using valid credentials

The script authenticates using the /api/v1/auth/login endpoint. Once authenticated, it carries the active session forward.

2. Send a malicious payload disguised as MCP configuration

Inside the request body, the exploit hides a JavaScript function that loads the child_process module and executes system commands.
Because Flowise evaluates this input without sandboxing, the attacker gains direct command execution.

Once exploited, any system command from whoami to downloading malware can be run silently.

Why This Matters

RCE flaws in workflow automation tools like Flowise are particularly dangerous because:

  1. They run on powerful servers
  2. They often integrate with other internal systems
  3. They store API keys and credentials
  4. They may have network access to sensitive infrastructure

This creates a perfect opening for lateral movement or data exfiltration.

Affected Versions

  1. All Flowise versions below 3.0.5
  2. Fixed in: Flowise 3.0.5

If your system is still running an older version, upgrade immediately.

Mitigation Steps

  1. Update to Flowise 3.0.5 or later
  2. Restrict access to the Flowise admin panel
  3. Rotate any credentials stored in Flowise
  4. Review server logs for suspicious POST requests to /customMCP

This vulnerability is a strong reminder that even well‑engineered AI tools can expose serious security gaps. As LLM‑driven applications grow in popularity, attackers are paying more attention to the infrastructure behind them.

If Flowise is part of your stack, patching now should be a top priority.

More: https://www.exploit-db.com/exploits/52440

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067