Threat actors are exploiting a maximum-severity flaw in Flowise, an open-source AI platform, according to a technical analysis from VulnCheck. The issue, tracked as CVE-2025-59528 with a CVSS score of 10.0, can lead to remote code execution on exposed systems.
KEY FACTS
- Vulnerability CVE-2025-59528 is a code injection flaw in the CustomMCP node.
- Impact Successful exploitation can allow arbitrary JavaScript execution, file access and command execution.
- Patch The issue was fixed in Flowise version 3.0.6.
- Activity VulnCheck said exploitation attempts came from a single Starlink IP address.
Flowise said the CustomMCP node accepts user configuration for connecting to an external MCP server. During parsing of the user-provided mcpServerConfig string, it executes JavaScript code without security validation, the advisory said.
The disclosure said the flaw runs with full Node.js runtime privileges. That can expose modules such as child_process for command execution and fs for file-system access, which could let an attacker compromise the server and exfiltrate data.
Flowise said only an API token is required for exploitation and credited Kim SooHyun with reporting the bug. The company said the issue was addressed in version 3.0.6 of the npm package.
VulnCheck said CVE-2025-59528 is the third Flowise flaw seen in the wild, after CVE-2025-8943, which involved operating system command remote code execution, and CVE-2025-26319, which involved arbitrary file upload.
WHY IT MATTERS
The report said more than 12,000 internet-facing Flowise instances are exposed, giving attackers a large pool of possible targets. That makes prompt patching and exposure review important for organizations that use the platform.