CNNVD-202509-3230 Information
CNNVD ID
CNNVD-202509-3230
Related CVE
- CNNVD Published: 2025-09-22
Description (Chinese)
Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 3.0.5版本存在代码注入漏洞,该漏洞源于CustomMCP节点直接执行用户输入的JavaScript代码,可能导致远程代码执行。
Description (English)
Flowise is an open-source tool for easy construction of LLM applications. Version Flowise 3.5 contains a code-infusion loophole that originates from the CustomMCP node and directly executes the JavaScript code entered by the user, which may lead to remote code implementation.
Hazard Level
High
Vulnerability Type
代码注入
Affected Vendor
Flute
Published
2025-09-22
Last Modified
2026-02-24
References
https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220 https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5 https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78 https://cxsecurity.com/issue/WLB-2025110001 https://www.exploit-db.com/exploits/52440 https://access.redhat.com/security/cve/cve-2025-59528
Patch
https://github.com/FlowiseAI/Flowise/releases
Share on: