Attackers are exploiting a critical Flowise flaw, tracked as CVE-2025-59528 (CVSS score of 10), that lets them run malicious code and access systems due to poor validation of user-supplied JavaScript.

Attackers are actively exploiting a critical vulnerability in Flowise, identified as CVE-2025-59528, which enables remote code execution and unauthorized file system access. The flaw, stemming from improper validation of user-supplied JavaScript, exposes affected systems to complete compromise and has raised significant concerns across the cybersecurity community.

Flowise, an open-source platform designed to help users build and manage large language model (LLM) workflows and autonomous AI agents, has gained popularity for its user-friendly, low-code interface. However, this accessibility has also introduced security risks, particularly within components that process dynamic user inputs.

The vulnerability resides in the CustomMCP node, a feature that allows users to configure connections to external Model Context Protocol (MCP) servers. During configuration, the platform processes the mcpServerConfig input insecurely by executing it as JavaScript without proper validation. Specifically, the convertToValidJSONString function passes user input directly into the Function() constructor, allowing it to run with full Node.js runtime privileges.

This design flaw enables attackers to execute arbitrary JavaScript code on vulnerable Flowise servers. By leveraging access to sensitive Node.js modules such as child_process and fs, threat actors can run system commands, access or manipulate files, and potentially exfiltrate sensitive data. The vulnerability effectively grants full control over compromised systems.

Security researchers warn that exploitation of this flaw requires only a valid API token, significantly lowering the barrier to attack. As a result, organizations using affected versions of Flowise face heightened risks to business operations, intellectual property, and customer data.

The issue impacts Flowise versions up to 3.0.5 and has been addressed in version 3.0.6, released in September 2025. Despite the availability of a patch, many instances remain exposed, increasing the likelihood of widespread exploitation.

VulnCheck researchers have observed active exploitation attempts, marking CVE-2025-59528 as a critical, real-world threat. Initial activity appears to originate from a single Starlink IP address, with scanning and attack attempts targeting publicly accessible instances. Estimates suggest that between 12,000 and 15,000 Flowise deployments are currently exposed on the internet.

Caitlin Condon, Vice President of Security Research at VulnCheck, noted that the vulnerability carries a maximum CVSS score of 10, highlighting its severity. She emphasized that although the flaw has been publicly known for several months, the large number of unpatched systems significantly increases the risk of opportunistic attacks.

This marks the third Flowise vulnerability to be actively exploited in the wild, following earlier flaws tracked as CVE-2025-8943 and CVE-2025-26319. The pattern underscores growing concerns around the security of rapidly adopted AI development platforms and the need for robust validation mechanisms in low-code environments.

The widespread exposure of Flowise instances, combined with the ease of exploitation, makes this vulnerability particularly dangerous. Security experts urge organizations to immediately update to the patched version, restrict external access where possible, and monitor systems for signs of compromise.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading