Key Findings

• CVE-2025-59528, a maximum-severity code injection vulnerability (CVSS 10.0), is being actively exploited against Flowise, an open-source AI platform

• The flaw allows remote code execution with only an API token required for exploitation

• Over 12,000 Flowise instances are exposed and vulnerable to attack

• Exploitation activity has been confirmed originating from a single Starlink IP address

• The vulnerability was patched in version 3.0.6 but remains unpatched on thousands of internet-facing deployments

• This is the third critical Flowise vulnerability exploited in the wild within recent months

Background

Flowise is a popular open-source AI agent builder platform used by numerous large corporations for deploying AI workflows. The platform gained significant adoption as businesses moved to implement custom AI solutions. However, the project has experienced multiple critical vulnerabilities in rapid succession, raising concerns about the security practices surrounding widely-deployed AI infrastructure.

The Vulnerability Details

CVE-2025-59528 exists in Flowise's CustomMCP node, which allows users to configure connections to external MCP (Model Context Protocol) servers. The vulnerability stems from a fundamental security flaw: the platform parses user-provided configuration strings and executes JavaScript code without any validation or sandboxing.

When attackers provide malicious input through the mcpServerConfig parameter, the code runs with full Node.js runtime privileges. This means attackers gain access to dangerous modules including child_process for command execution and fs for file system manipulation. An attacker with just an API token can execute arbitrary JavaScript and achieve complete system compromise, including data exfiltration and lateral movement within the victim's infrastructure.

Active Exploitation Campaign

According to VulnCheck's findings, threat actors are already weaponizing this vulnerability in real-world attacks. The exploitation activity has been traced to a single Starlink IP address, though the massive attack surface of 12,000+ exposed instances suggests opportunistic scanning and exploitation attempts are likely widespread.

Caitlin Condon, vice president of security research at VulnCheck, emphasized the severity: "This is a critical-severity bug in a popular AI platform used by a number of large corporations. The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we're seeing more serious, as it means attackers have plenty of targets to opportunistically reconnoiter and exploit."

Broader Context

This represents the third major Flowise vulnerability with confirmed in-the-wild exploitation. CVE-2025-8943 (CVSS 9.8) involved operating system command execution, while CVE-2025-26319 (CVSS 8.9) allowed arbitrary file uploads. The pattern of critical vulnerabilities in rapid succession suggests systemic security issues within the platform's development lifecycle.

The six-month gap between public disclosure and active exploitation provides defenders time to patch, yet thousands of instances remain vulnerable, indicating either poor vulnerability awareness, resource constraints, or organizational oversight in managing this critical infrastructure.

Remediation

Users should immediately upgrade to Flowise version 3.0.6 or later. Organizations operating Flowise instances should audit their deployments to ensure they're running patched versions and restrict API token access to trusted parties only.

Sources

• https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html

• https://aisecwatch.com/issues/13c5de48-a676-421e-9bd9-62fcc85992b8

• https://www.reddit.com/r/ArtificialInteligence/comments/1seskzy/flowise_ai_agent_builder_under_active_cvss_100/

• https://www.reddit.com/r/cybersecurity/comments/1sesllm/flowise_ai_agent_builder_under_active_cvss_100/

• https://x.com/TheHackersNews/status/2041394956779262327