Hackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, within the open-source platform Flowise for constructing customized LLM apps and agentic programs to execute arbitrary code.
The flaw permits injecting JavaScript code with none security checks and was publicly disclosed final September, with the warning that profitable exploitation results in command execution and file system entry.
The issue is with the Flowise CustomMCP node permitting configuration settings to hook up with an exterior Mannequin Context Protocol (MCP) server and unsafely evaluating the mcpServerConfig enter from the consumer. Throughout this course of, it may possibly execute JavaScript with out first validating its security.
The developer addressed the problem in Flowise model 3.0.6. The newest present model is 3.1.1, launched two weeks in the past.
Flowise is an open-source, low-code platform for constructing AI brokers and LLM-based workflows. It offers a drag-and-drop interface that lets customers join elements into pipelines powering chatbots, automation, and AI programs.
It’s utilized by a broad vary of customers, together with builders working in AI prototyping, non-technical customers working with no-code toolsets, and firms that function buyer help chatbots and knowledge-based assistants.
Caitlin Condon, security researcher at vulnerability intelligence firm VulnCheck, introduced on LinkedIn that exploitation of CVE-2025-59528 has been detected by their Canary community.
“Early this morning, VulnCheck’s Canary community started detecting first-time exploitation of CVE-2025-59528, a CVSS-10 arbitrary JavaScript code injection vulnerability in Flowise, an open-source AI growth platform,” Condon warned.
Though the exercise seems restricted right now, originating from a single Starlink IP, the researchers warned that there are between 12,000 and 15,000 Flowise cases uncovered on-line proper now.
Nevertheless, it’s unclear what share of these are weak Flowise servers.
Condon notes that the noticed exercise associated to CVE-2025-59528 happens along with CVE-2025-8943 and CVE-2025-26319, which additionally influence Flowise and for which energetic exploitation within the wild has been noticed.
At present, VulnCheck offers exploit samples, community signatures, and YARA guidelines solely to its clients.
Customers of Flowise are really useful to improve to model 3.1.1 or at the least 3.0.6 as quickly as potential. They need to additionally take into account eradicating their cases from the general public web if exterior entry just isn’t wanted.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and offers practitioners with three diagnostic questions for any device analysis.
