Risk actors are exploiting a maximum-severity security flaw in Flowise, an open-source synthetic intelligence (AI) platform, in response to new findings from VulnCheck.
The vulnerability in query is CVE-2025-59528 (CVSS rating: 10.0), a code injection vulnerability that might lead to distant code execution.
“The CustomMCP node permits customers to enter configuration settings for connecting to an exterior MCP (Mannequin Context Protocol) server,” Flowise mentioned in an advisory launched in September 2025. “This node parses the user-provided mcpServerConfig string to construct the MCP server configuration. Nevertheless, throughout this course of, it executes JavaScript code with none security validation.”
Flowise famous that profitable exploitation of the vulnerability can permit entry to harmful modules akin to child_process (command execution) and fs (file system), because it runs with full Node.js runtime privileges.
Put in a different way, a menace actor who weaponizes the flaw can execute arbitrary JavaScript code on the Flowise server, resulting in full system compromise, file system entry, command execution, and delicate information exfiltration.
“As solely an API token is required, this poses an excessive security danger to enterprise continuity and buyer information,” Flowise added. It credited Kim SooHyun with discovering and reporting the flaw. The problem was addressed in model 3.0.6 of the npm package deal.
In line with particulars shared by VulnCheck, exploitation exercise towards the vulnerability has originated from a single Starlink IP tackle. CVE-2025-59528 is the third Flowise flaw with in-the-wild exploitation after CVE-2025-8943 (CVSS rating: 9.8), an working system command distant code execution, and CVE-2025-26319 (CVSS rating: 8.9), an arbitrary file add.
“It is a critical-severity bug in a preferred AI platform used by a quantity of huge firms,” Caitlin Condon, vice chairman of security analysis at VulnCheck, advised The Hacker Information in an announcement.
“This particular vulnerability has been public for greater than six months, which suggests defenders have had time to prioritize and patch the vulnerability. The internet-facing assault floor space of 12,000+ uncovered situations makes the lively scanning and exploitation makes an attempt we’re seeing extra severe, because it means attackers have loads of targets to opportunistically reconnoiter and exploit.”
