Cybersecurity experts are sounding the alarm over a severe remote code execution (RCE) vulnerability in Flowise, an open-source platform used to create AI agents and tailor large language model workflows. This critical issue, identified as CVE-2025-59528 and carrying a maximum CVSS score of 10.0, allows perpetrators to run arbitrary JavaScript code, potentially compromising entire systems.
Widespread Exposure and Exploitation
According to threat intelligence data, an estimated 12,000 to 15,000 instances of Flowise are currently accessible via the public internet. This extensive exposure presents a significant opportunity for malicious actors to exploit the vulnerability. The flaw originates from inadequate input validation within Flowise’s CustomMCP node, which manages configuration settings for external Model Context Protocol (MCP) servers.
Instead of securely parsing incoming data, the platform’s convertToValidJSONString function passes the user-supplied mcpServerConfig string directly to a Function() constructor. This oversight allows the input to be executed as JavaScript code within the global Node.js context, enabling attackers to deploy harmful payloads with unrestricted runtime privileges.
Technical Exploitation Details
Exploiting CVE-2025-59528 is alarmingly straightforward, requiring no user interaction. Attackers simply send a specially crafted HTTP POST request to the application’s API endpoint over the network. Once the payload triggers the vulnerable constructor, it leverages core Node.js modules like child_process to execute system-level commands.
The repercussions are severe, granting attackers full system access, enabling them to navigate the file system and extract sensitive corporate data. A publicly available proof-of-concept exploit highlights how attackers can easily harness this vulnerability using basic command-line utilities. By embedding a payload that invokes system modules, attackers can manipulate the server to perform remote commands, including writing arbitrary files to temporary storage.
Cybersecurity Community Response
In April 2026, VulnCheck security researchers recorded the first known exploitation of this vulnerability in real-world scenarios, with initial attacks traced back to a Starlink IP address. The flaw is garnering considerable attention within the cybersecurity field due to the sheer number of exposed systems and the simplicity of the exploit.
This incident is part of a broader trend of targeted attacks on AI infrastructure, following previous exploits of other Flowise vulnerabilities. Versions of Flowise up to 3.0.5 remain susceptible to this critical code injection issue, which has been rectified in version 3.0.6 through enhanced security validation of MCP server configurations. Organizations utilizing Flowise are urged to upgrade to the latest version and restrict public network exposure of their application APIs to mitigate risk.
Stay informed with the latest cybersecurity news by following us on Google News, LinkedIn, and X. Contact us to share your cybersecurity stories.
