Critical Flowise Vulnerability in Attacker Crosshairs

Summary

A critical remote code execution vulnerability (CVE-2025-59528, CVSS 10.0) in Flowise, an open-source LLM development platform, allows attackers to execute arbitrary Node.js code via improper validation of user-supplied JavaScript in MCP server configuration. Patched in version 3.0.6 (September 2025), VulnCheck has observed active in-the-wild exploitation attempts targeting vulnerable deployments, with 12,000–15,000 publicly accessible Flowise instances identified, making the attack surface significant.

Full text

Threat actors have started to exploit a critical vulnerability in Flowise that allows them to execute arbitrary code remotely, VulnCheck warns. Flowise is an open source development platform that allows users to build customized LLM flows and autonomous agents using a drag-and-drop interface. Tracked as CVE-2025-59528 (CVSS score of 10), the bug exists because user-supplied JavaScript code is not validated in a function that supports configuration settings input for connecting to an external MCP. The user-supplied input used to build the MCP server configuration is passed directly to a function that evaluates and executes it as JavaScript code, with full Node.js runtime privileges, leading to remote code execution and access to the file system. Successful exploitation of the bug could allow attackers to take control of a vulnerable system and exfiltrate sensitive information. “As only an API token is required, this poses an extreme security risk to business continuity and customer data,” Flowise notes in its advisory.Advertisement. Scroll to continue reading. The security defect affects Flowise versions up to 3.0.5 and was patched in version 3.0.6, which was released in September 2025. Now, vulnerability intelligence firm VulnCheck says it has observed the first in-the-wild exploitation attempts targeting CVE-2025-59528, suggesting that attackers are taking an interest in vulnerable deployments. “This is a critical-severity bug in a popular AI platform used by a number of large corporations. This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability,” said VulnCheck VP of security research Caitlin Condon. The company says it has observed between 12,000 and 15,000 publicly accessible Flowise instances. However, it is unclear how many are running vulnerable versions of the platform. “The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we’re seeing more serious, as it means attackers have plenty of targets to opportunistically reconnoiter and exploit,” Condon said. Related: Fortinet Rushes Emergency Fixes for Exploited Zero-Day Related: GrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise Data Related: GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack Related: Google DeepMind Researchers Map Web Attacks Against AI Agents Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Google DeepMind Researchers Map Web Attacks Against AI AgentsGuardarian Users Targeted With Malicious Strapi NPM PackagesNorth Korean Hackers Target High-Profile Node.js MaintainersFortinet Rushes Emergency Fixes for Exploited Zero-DayEuropean Commission Confirms Data Breach Linked to Trivy Supply Chain AttackTrueConf Zero-Day Exploited in Asian Government AttacksCritical ShareFile Flaws Lead to Unauthenticated RCEReact2Shell Exploited in Large-Scale Credential Harvesting Campaign Latest News Severe StrongBox Vulnerability Patched in AndroidGrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise DataWebinar Today: Why Automated Pentesting Alone Is Not EnoughGPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack Medusa Ransomware Fast to Exploit Vulnerabilities, Breached SystemsGerman Police Unmask REvil Ransomware LeaderWhite House Seeks to Slash CISA Funding by $707 MillionWynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2025-59528

Entities