## https://sploitus.com/exploit?id=1D2ED15F-C3BE-5DEF-9DE7-CE96563EDE5C
# CVE-2025-59528 โ Flowise CustomMCP Node RCE (PoC)
[](https://visitorbadge.io/status?path=https%3A%2F%2Fgithub.com%2Fvanhari%2FCVE-2025-59528)
## Overview
This repo containts proof of concept demonstrating **CVE-2025-59528** in Flowise v3.0.5
The vulnerability exists in the `customMCP` node, where user-supplied `mcpServerConfig` input is processed in a way that leads to JavaScript code execution via unsafe evaluation using the `Function` constructor.
## Affected Versions
| Affected | Fixed |
|----------|-------|
| 3.0.5 | 3.0.6 |
## Impact
An authenticated user may be able to execute arbitrary JavaScript on the server, potentially leading to remote code execution.
## Installation
### OSX/Linux
```bash
git clone https://github.com/vanhari/CVE-2025-59528.git
cd CVE-2025-59528
```
### Windows
```bash
git clone https://github.com/vanhari/CVE-2025-59528.git
cd CVE-2025-59528
```
## Usage
```bash
python3 CVE-2025-59528.py -t "" --api-key --lhost --lport
```

## Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.