Critical Flowise CVE-2025-59528 RCE Exploited; 12,000+ Instances Exposed

Attackers are actively exploiting a maximum severity vulnerability in Flowise, the open-source AI agent builder, VulnCheck said. The flaw is tracked as CVE-2025-59528 and carries a CVSS score of 10.0. It allows code injection that leads to remote code execution.

What the bug does

Flowise acknowledged the problem in a September 2025 advisory. “The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server,” Flowise said. “This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation.”

That execution runs with full Node.js runtime privileges. Flowise said a successful exploit can reach dangerous modules such as child_process and fs. In practical terms, an attacker can run system commands, read and write files, and take full control of the host running the Flowise instance.

How serious is the exposure

VulnCheck reported active exploitation activity and said scans have traced attempts back to a single Starlink IP address. VulnCheck also found more than 12,000 internet-facing Flowise instances that are reachable by attackers. “This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability,” Caitlin Condon, vice president of security research at VulnCheck, told The Hacker News. “The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we are seeing more serious, as it means attackers have plenty of targets to opportunistically reconnoiter and exploit.”

Flowise warned that only an API token is required to trigger the flaw. “As only an API token is required, this poses an extreme security risk to business continuity and customer data,” Flowise said. The company credited researcher Kim SooHyun with discovering and reporting the vulnerability.

Context and prior incidents

VulnCheck noted this is not the first Flowise bug observed in the wild. The firm pointed to CVE-2025-8943, an operating system command remote code execution issue that scored 9.8, and CVE-2025-26319, an arbitrary file upload flaw that scored 8.9. Those earlier issues were seen being exploited before and helped raise the profile of Flowise as an attractive target for opportunistic attackers.

What Flowise released

Flowise fixed the problem in the npm package with version 3.0.6. The vendor advisory and the package update are the primary remediation steps the project provided. Flowise told users to upgrade to the patched release to eliminate the vulnerable CustomMCP parsing logic.

Practical steps for defenders

• Upgrade immediately. Flowise said the 3.0.6 release contains the fix.
• Audit internet exposure. VulnCheck urged operators to inventory Flowise instances and block public access for any that do not need to be internet-facing.
• Rotate API tokens. Because the flaw can be triggered with an API token, teams should consider rotating tokens and tightening API scopes.
• Monitor logs. Watch for suspicious process execution, unexpected file reads, or outbound connections from Flowise hosts.

These steps reflect standard incident response measures and echo the guidance from both Flowise and public security researchers. VulnCheck stressed time is critical because attackers have had months to find and exploit vulnerable installations.

The combination of a trivial trigger method, full Node.js privileges, and thousands of reachable instances makes CVE-2025-59528 a high risk for organizations using Flowise. Operators should treat exposed instances as compromised until they are patched and investigated.

Security teams should act now. Patch to 3.0.6, audit exposed systems, rotate credentials, and review logs. The window for preventing widespread damage is closing.

#Flowise #CVE-2025-59528 #ZeroDay #NodeJS #VulnCheck #RCE