Critical Flowise AI Vulnerability Exploited: Over 12,000 Instances at Risk
A severe security flaw in Flowise, an open-source artificial intelligence (AI) platform, is currently under active exploitation, posing significant risks to numerous organizations. The vulnerability, identified as CVE-2025-59528 with a maximum CVSS score of 10.0, allows for remote code execution through code injection.
Flowise’s advisory from September 2025 highlights that the issue originates from the CustomMCP node, which enables users to input configuration settings for connecting to external Model Context Protocol (MCP) servers. During the parsing of the user-provided `mcpServerConfig` string, the system executes JavaScript code without proper security validation. This oversight grants attackers access to critical modules like `child_process` and `fs`, running with full Node.js runtime privileges.
Exploitation of this flaw can lead to complete system compromise, unauthorized file system access, command execution, and potential exfiltration of sensitive data. Notably, only an API token is required to exploit this vulnerability, significantly elevating the security risk to business operations and customer information. The vulnerability was discovered and reported by security researcher Kim SooHyun and has been addressed in version 3.0.6 of the npm package.
Security firm VulnCheck has observed exploitation activities originating from a single Starlink IP address. This marks the third instance of Flowise vulnerabilities being exploited in the wild, following CVE-2025-8943 (CVSS score: 9.8), an operating system command remote code execution flaw, and CVE-2025-26319 (CVSS score: 8.9), an arbitrary file upload vulnerability.
Caitlin Condon, Vice President of Security Research at VulnCheck, emphasized the gravity of the situation, stating, This is a critical-severity bug in a popular AI platform used by a number of large corporations. She noted that the vulnerability has been public for over six months, providing ample time for defenders to prioritize and implement patches. However, with over 12,000 internet-exposed instances, the active scanning and exploitation attempts are particularly concerning, as attackers have numerous targets to exploit opportunistically.
