Attackers are exploiting a critical Flowise flaw, tracked as CVE-2025-59528 (CVSS score of 10), that lets them run malicious code and access systems due to poor validation of user-supplied JavaScript.
Attackers are actively exploiting a critical vulnerability in Flowise, tracked as CVE-2025-59528, that allows remote code execution and file system access. The flaw stems from improper validation of user-supplied JavaScript in a configuration function, exposing systems to full compromise.
Flowise is an open-source platform that lets users build and manage customized LLM (large language model) workflows and autonomous agents. It provides a drag-and-drop interface to design AI flows, connect models, and integrate external tools or APIs without deep programming knowledge. Essentially, it simplifies creating AI-driven applications and automated processes.
The CustomMCP node in Flowise lets users configure connections to external MCP servers, but it processes the mcpServerConfig input insecurely. Instead of validating it, the system executes it as JavaScript. The convertToValidJSONString function passes user input directly to the Function() constructor, running it with full Node.js privileges. This allows access to sensitive modules like child_process and fs, enabling command execution and file system access, making the flaw highly dangerous.
“The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation.” reads the advisory. “Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs.”
The vulnerability lets attackers run arbitrary JavaScript on the Flowise server, leading to full system takeover, file access, command execution, and data theft. Since exploitation only requires an API token, it poses a severe risk to business operations and sensitive customer data.
The flaw impacts Flowise versions up to 3.0.5 and was fixed in version 3.0.6, released in September 2025.
VulnCheck detected first exploitation of CVE-2025-59528, the activity appears to come from a single Starlink IP, with 12,000–15,000 exposed instances online.
“New hashtag#KEV: Early this morning, VulnCheck‘s Canary network began detecting first-time exploitation of CVE-2025-59528, a CVSS-10 arbitrary JavaScript code injection vulnerability in Flowise, an open-source AI development platform. The vulnerability resides in the CustomMCP server logic in multiple versions of Flowise and allows for code execution.” Caitlin Condon, VP, Security Research at VulnCheck wrote on LinkedIn. “Observed activity so far originates from a single Starlink IP. Our team’s ASM queries show 12,000 – 15,000 instances of Flowise on the public internet as of today.”
CVE-2025-59528 is the third Flowise flaw actively exploited in the wild, following CVE-2025-8943 (CVSS score: 9.8) and CVE-2025-26319 (CVSS score: 8.9).
“This is a critical-severity bug in a popular AI platform used by a number of large corporations. This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability,” added Condon.” “The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we’re seeing more serious, as it means attackers have plenty of targets to opportunistically reconnoiter and exploit,” Condon said.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Flowise)
