A severe security flaw, identified as CVE-2025-59528 with a CVSS score of 10.0, is actively being exploited in the open-source Flowise AI agent builder. This vulnerability allows for remote code execution, potentially compromising thousands of internet-facing instances and putting sensitive data at risk. The flaw enables threat actors to execute arbitrary JavaScript code on the Flowise server, leading to full system compromise.

Key Takeaways

• A critical Remote Code Execution (RCE) vulnerability (CVE-2025-59528) with a CVSS score of 10.0 is being actively exploited in Flowise.

• The vulnerability stems from the CustomMCP node, which executes JavaScript code without proper security validation.

• Successful exploitation grants access to dangerous modules like child_process and fs, enabling command execution and data exfiltration.

• An estimated 12,000+ Flowise instances are exposed and potentially vulnerable.

• The issue was patched in version 3.0.6 of the npm package.

The Vulnerability Explained

The vulnerability resides within the CustomMCP node of the Flowise platform. This node is designed to allow users to configure connections to external Model Context Protocol (MCP) servers. However, it parses user-provided configuration strings and executes embedded JavaScript code without adequate security checks. This oversight means that a malicious actor, requiring only an API token, can inject and execute arbitrary code.

Impact and Exploitation

Exploitation of CVE-2025-59528 can lead to severe consequences, including full system compromise, unauthorized access to the file system, and the exfiltration of sensitive data. Flowise has acknowledged the extreme security risk this poses to business continuity and customer data. Security researchers at VulnCheck have observed exploitation attempts originating from a single Starlink IP address.

This is not the first security issue to affect Flowise. CVE-2025-59528 is the third Flowise vulnerability to be exploited in the wild, following CVE-2025-8943 (CVSS 9.8) for operating system command RCE and CVE-2025-26319 (CVSS 8.9) for arbitrary file upload.

Urgent Need for Patching

Caitlin Condon, vice president of security research at VulnCheck, highlighted the severity of the flaw, noting that it affects a popular AI platform used by numerous large corporations. With the vulnerability being public for over six months, defenders have had ample time to implement patches. However, the large number of exposed instances (over 12,000) means that attackers have a significant attack surface to target opportunistically. Users are strongly advised to update their Flowise installations to version 3.0.6 or later immediately to mitigate the risk.

Sources

• Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed, The Hacker News.