Cybersecurity researchers have warned that cybercriminals are currently leveraging a serious remote code execution vulnerability in Flowise – a widely-used open-source development platform for creating artificial intelligence (AI) applications and workflows.
The vulnerability, known as CVE-2025-59528, is rated with the maximum CVSS score of 10.0 and is the result of Flowise's CustomMCP node not having sufficient security validation. This allows users to define configuration settings for connecting to an external Model Context Protocol (MCP) server. Specifically, the user-supplied mcpServerConfig string is parsed within the application and enables the application to execute arbitrary Javascript code with the complete Node.js run-time permissions.
Consequently, an attacker compromising the mcpServerConfig may utilize Flowise to access highly privileged built-in Node.js modules such as child_process (to execute commands on the host operating system) and fs (for manipulating files) or take total control of the compromised Flowise instance, potentially leading to the total compromise of the server, data exfiltration, or overall control of the instance.
Flowise has since released a patch for this vulnerability with version 3.0.6 of the npm package. The company credited researcher Kim SooHyun with discovering and responsibly reporting the vulnerability.
The VulnCheck reports that there were real world exploit attempts to exploit it already, and one of those attempts was over a single Starlink IP. This is the third Flowise vulnerability (the first two were CVE-2025-8943 (OS command injection) and CVE-2025-26319 (arbitrary file upload)) that has been seen being actively exploited over the last few months.
Caitlin Condon, Vice President of Security Research at VulnCheck, emphasized the seriousness of the situation:
“This is a critical-severity bug in a popular AI platform used by a number of large corporations. With over 12,000 exposed instances on the internet and the vulnerability public for more than six months, defenders have had time to patch but the active scanning we’re seeing makes this particularly concerning.”
Why This Matters
Flowise is widely used by organizations to rapidly prototype and deploy LLM-powered applications. Attackers are able to easily gain access to the environments of many organisations that are currently utilising Flowise by using this critical vulnerability that is present in all Flowise instances that are facing the Internet.
Recommendations
If your company is using Flowise:
1. Upgrade to a minimum version of 3.0.6 (or later).
2. Check all Internet-facing instances and where possible, restrict public access.
3. Check your logs for suspicious activity associated with the CustomMCP node and unusual behaviour of Node.js processes.
4. If you have development environments for AI, you should look into employing network segmentation and the principle of least privilege.
This incident demonstrates that even if an open-source AI tool is well-known or used by many organizations, it can still pose a great deal of risk if it is not patched regularly. Additionally, keeping the core platform and dependent libraries up-to-date in AI development is a significant priority in AI development due to the rapid changes taking place within AI.
Source: The Hacker News
