Flowise, a widely used open-source artificial intelligence platform, is currently facing active exploitation of a critical security vulnerability with a CVSS score of 10.0, according to recent findings from VulnCheck. The flaw, identified as CVE-2025-59528, is a code injection vulnerability that enables remote code execution on affected systems. Security researchers warn that more than 12,000 publicly exposed instances of Flowise may be at risk, raising significant concerns for business continuity and data protection.
The vulnerability is tied to the CustomMCP node, which allows users to input configuration settings for connecting to an external Model Context Protocol server. Flowise reported in an advisory released in September 2025 that the node parses the user-provided mcpServerConfig string and executes JavaScript code without proper validation. This flaw enables attackers to access critical Node.js modules, including child_process for command execution and fs for file system access. Successful exploitation can lead to full system compromise, arbitrary code execution, sensitive data exfiltration, and unauthorized operations on affected servers.
Flowise credited Kim SooHyun with discovering and reporting the vulnerability, which has been addressed in version 3.0.6 of the npm package. Despite the patch being available for more than six months, active exploitation attempts have been observed. VulnCheck reports that scanning and attacks have originated from a single Starlink IP address, highlighting the persistent threat targeting exposed instances. CVE-2025-59528 follows two prior vulnerabilities in Flowise that saw in-the-wild exploitation: CVE-2025-8943, an OS command remote code execution with a CVSS score of 9.8, and CVE-2025-26319, an arbitrary file upload flaw with a CVSS score of 8.9.
Cybersecurity experts emphasize the severity of this exposure given the scale and accessibility of Flowise installations. Caitlin Condon, vice president of security research at VulnCheck, stated that the combination of a critical vulnerability, an internet-facing attack surface of over 12,000 instances, and only an API token required for exploitation creates a highly opportunistic environment for attackers. Organizations using Flowise are urged to prioritize patching, implement network segmentation, and continuously monitor for suspicious activity to reduce risk and ensure the security of sensitive AI infrastructure.
The Flowise CVE-2025-59528 case underscores ongoing risks in open-source AI platforms and highlights the importance of proactive vulnerability management, particularly for software used in enterprise AI environments. Security teams are advised to validate that all exposed Flowise instances are updated to the patched version and to adopt additional hardening measures to prevent exploitation.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
