ATTACKERS are actively exploiting a critical Flowise vulnerability tracked as CVE-2025-59528, which permits remote code execution and full system takeover by abusing inadequate validation of user‑supplied JavaScript. The flaw impacts the open‑source AI workflow platform and puts thousands of publicly accessible instances at immediate risk according to Security Affairs. VulnCheck estimates that between 12,000 and 15,000 Flowise servers are reachable from the internet, many likely running unpatched versions. Successful exploitation grants attackers the ability to execute arbitrary commands, read files and pivot further into internal networks.
The issue resides in the CustomMCP node where the convertToValidJSONString function passes user input straight to the JavaScript Function() constructor, allowing attackers to run arbitrary code with full Node.js privileges. By supplying a malicious MCP server configuration string, threat actors can invoke dangerous modules such as child_process and fs to spawn shells or exfiltrate data. Versions up to 3.0.5 are vulnerable while version 3.0.6, released in September 2025, contains the fix as noted by SecurityWeek. No authentication is required for the attack, making it trivial for automated scanners to compromise exposed hosts.
VulnCheck first observed in‑the‑world exploitation attempts originating from a single Starlink‑associated IP address and estimates that between 12,000 and 15,000 Flowise instances are exposed online. The vulnerability carries a CVSS score of 10.0 reflecting its potential for unauthenticated remote compromise as detailed by The Hacker News. Early payloads observed in the wild include commands to download additional tools and establish reverse shells, indicating a move beyond simple probing. While no specific threat actor has been attributed, the activity bears the hallmarks of opportunistic campaigns targeting misconfigured AI services.
The access gained through CVE-2025-59528 enables adversaries to read configuration files, harvest credentials stored on the host and collect data from any mounted volumes. Attackers can also manipulate or delete files, disrupting workflows and potentially destroying valuable AI models or datasets. This highlights the risks inherent in low‑code AI builder platforms that expose powerful backend functions to user‑controlled input per analysis from SentinelOne. Organizations that rely on Flowise for orchestrating language model chains should treat any exposed instance as a high‑value target until patched.
Defenders should upgrade Flowise to version 3.0.6 or later without delay, disable public access to the CustomMCP node when it is not required and enforce strict egress filtering to block outbound connections to unknown endpoints. Monitoring logs for unexpected child_process spawns, anomalous JavaScript execution or outbound traffic to uncommon ports can aid early detection. Administrators are advised to review Flowise configurations, remove any unnecessary MCP integrations and ensure that the service runs under a dedicated, low‑privilege account. Applying network segmentation to isolate Flowise from critical assets reduces the lateral movement potential if a host is compromised. Guidance on these steps is available in the GitHub advisory.
Additional measures include placing Flowise behind a network segmentation zone, deploying a web application firewall capable of inspecting and blocking malicious payloads, maintaining an up‑to‑date inventory of all Flowise deployments and running the service under a least‑privileged account. Incident response playbooks should isolate affected hosts, preserve volatile memory and disk images for forensic analysis and notify relevant stakeholders promptly. Regular vulnerability scanning and patch management cycles will help prevent similar issues from arising in other low‑code tools. Guidance on mitigating similar flaws can be found in the SonicWall blog.