Vulnerability Summary for the Week of September 22, 2025

2025-09-29 22:09

High Vulnerabilities

Primary Vendor — Product	Description	Published	CVSS Score	Source Info	Patch Info
FlowiseAI–Flowise	Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6.	2025-09-22	10	CVE-2025-59528	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220 This article has been indexed from Bulletins Read the original article: Vulnerability Summary for the Week of September 22, 2025 Share this: Facebook X LinkedIn Related Tags: Bulletins EN Post navigation ← Isolate Your Database: VPC for Managed Databases Is Available Now IT Security News Hourly Summary 2025-09-29 21h : 4 posts → Search for: Pages Advertising Contact Legal and Contact information Opt-out preferences Privacy Policy Social Media Apps Telegram Channel Recent Posts IT Security News Hourly Summary 2025-09-30 00h : 5 posts September 30, 2025 Check Point and Wiz Roll Out Integrated Cloud Security Solution September 30, 2025 IT Security News Daily Summary 2025-09-29 September 30, 2025 Inside North Korea’s DeceptiveDevelopment Job Fraud, Malware Scheme September 30, 2025 USENIX 2025: PEPR ’25 – Establishing Privacy Metrics For Genomic Data Analysis September 30, 2025 Security Breaches Found in AI-Powered Repair Tool Wondershare RepairIt September 29, 2025 Dynamic DNS Abuse Helps Threat Actors Evade Detection and Persist September 29, 2025 UK grants £1.5B loan to Jaguar Land Rover after cyberattack September 29, 2025 Asahi runs dry as online attackers take down Japanese brewer September 29, 2025 One line of malicious npm code led to massive Postmark email heist September 29, 2025 Apple Patches Single Vulnerability CVE-2025-43400, (Mon, Sep 29th) September 29, 2025 CISA Adds Five Known Exploited Vulnerabilities to Catalog September 29, 2025 CISA Strengthens Commitment to SLTT Governments September 29, 2025 IT Security News Hourly Summary 2025-09-29 21h : 4 posts September 29, 2025 Vulnerability Summary for the Week of September 22, 2025 September 29, 2025 Isolate Your Database: VPC for Managed Databases Is Available Now September 29, 2025 5 Manual Testing Techniques Every Tester Should Know September 29, 2025 Build secure network architectures for generative AI applications using AWS services September 29, 2025 Increase in Scans for Palo Alto Global Protect Vulnerability (CVE-2024-3400), (Mon, Sep 29th) September 29, 2025 Millions at Risk From Notepad++ DLL Hijacking Vulnerability September 29, 2025 Copyright © 2025 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com. Manage Consent To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions. Functional Functional Always active The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. Preferences Preferences The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. Statistics Statistics The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you. Marketing Marketing The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. Manage options Manage services Manage {vendor_count} vendors Read more about these purposes View preferences {title} {title} {title}