Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/47559?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47559?format=api", "vulnerability_id": "VCID-2wkq-5agr-6bgz", "summary": "Flowise has Remote Code Execution vulnerability\nThe CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. \nThis node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it \nexecutes JavaScript code without any security validation.\n\nSpecifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which \nevaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous\nmodules such as child_process and fs.", "aliases": [ { "alias": "CVE-2025-59528" }, { "alias": "GHSA-3gcm-f6qx-ff7p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69898?format=api", "purl": "pkg:npm/flowise@3.0.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.6" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69897?format=api", "purl": "pkg:npm/flowise@3.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2wkq-5agr-6bgz" }, { "vulnerability": "VCID-5vb2-73xr-97cw" }, { "vulnerability": "VCID-8wyy-ep3u-xkh5" }, { "vulnerability": "VCID-gjgw-sjnh-zkhr" }, { "vulnerability": "VCID-rhdz-rcy5-y3a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.5" } ], "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59528", "reference_id": "CVE-2025-59528", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59528" }, { "reference_url": "https://github.com/advisories/GHSA-3gcm-f6qx-ff7p", "reference_id": "GHSA-3gcm-f6qx-ff7p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3gcm-f6qx-ff7p" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p", "reference_id": "GHSA-3gcm-f6qx-ff7p", "reference_type": "", "scores": [], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p" } ], "weaknesses": [ { "cwe_id": 94, "name": "Improper Control of Generation of Code ('Code Injection')", "description": "The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2wkq-5agr-6bgz" }