27 matches found
CVE-2025-59528 Flowise has Remote Code Execution vulnerability
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided...
CVE-2025-59528 Flowise has Remote Code Execution vulnerability
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided...
CVE-2025-59528
Flowise 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig string is parsed and passed to the Function() constructor via convertToValidJSONString without validation, allowing an attacker to execute arbitrary JavaScript with Node.js privileges (e.g., ac...
Flowise has unsandboxed remote code execution via Custom MCP
Summary The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, the default installation of...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the convertToValidJSONString function. An attacker can execute arbitrary JavaScript code with full server privileges by supplying malicious input to the...
Flowise has Remote Code Execution vulnerability
Description Cause of the Vulnerability The CustomMCP node allows users to input configuration settings for connecting to an external MCP Model Context Protocol server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it...
PT-2025-39075
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6 Description Flowise is a drag-and-drop user interface for building customized large language model flows. A critical issue exists in the CustomMCP node, which allows users to input configuration settings for...