Threat actors are exploiting maximum-severity security flaws in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.
The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that may allow remote code execution.
In an advisory released in September 2025, Flowise states, “The CustomMCP node allows users to enter configuration settings to connect to an external Model Context Protocol (MCP) server. The node parses the mcpServerConfig string provided by the user to build the MCP server configuration. However, during this process it executes JavaScript code without security validation.”
Flowise noted that successful exploitation of this vulnerability would run with full Node.js runtime privileges, potentially allowing access to dangerous modules such as child_process (command execution) and fs (file system).
In other words, an attacker weaponizing this flaw could execute arbitrary JavaScript code on the Flowise server, potentially compromising the entire system, accessing the file system, executing commands, and exfiltrating sensitive data.
“This poses extreme security risks to business continuity and customer data as only API tokens are required,” Flowise added. The person who discovered and reported this flaw was Kim Soo-hyun. This issue was resolved in npm package version 3.0.6.
According to details shared by VulnCheck, the exploit activity for this vulnerability originated from a single Starlink IP address. CVE-2025-59528 is the third flaw in Flowise to be exploited in the field, after CVE-2025-8943 (CVSS score: 9.8), remote code execution of operating system commands, and CVE-2025-26319 (CVSS score: 8.9), which is upload of arbitrary files.
“This is a high-severity bug in a popular AI platform used by many large enterprises,” Caitlin Condon, vice president of security research at VulnCheck, told The Hacker News in a statement.
“This particular vulnerability has been public for more than six months, which means defenders have had time to prioritize and fix the vulnerability. With over 12,000 exposed instances in the internet-facing attack surface, the active scanning and exploitation attempts we’re seeing are even more severe because it means there are many targets for attackers to opportunistically scout and exploit.”
Source link
