THREAT actors are exploiting a maximum-severity vulnerability in Flowise, CVE-2025-59528 (CVSS 10.0), exposing 12,000+ Flowise instances, according to VulnCheck. Flowise said in an advisory released in September 2025 that the CustomMCP node parses a user-provided mcpServerConfig string to build MCP server configuration and, crucially, executes JavaScript code during this process without any security validation.
Exploitation can grant access to dangerous modules such as child_process and fs, running with full Node[.]js runtime privileges and enabling arbitrary JavaScript execution on the Flowise server. In practical terms, a threat actor weaponising the flaw could achieve full system compromise, file-system access, command execution, and sensitive data exfiltration. The issue was addressed in version 3.0.6 of the npm package Flowise, following public disclosure that has been active since at least six months prior.
The Hacker News notes that exploitation activity has originated from a single Starlink IP address, emphasising the severity of the in-the-wild risk to organisations using Flowise.