Critical Flaw in Popular AI Tool Flowise Sparks Widespread Exploitation

Security researchers are tracking active, widespread attacks against a severe vulnerability in Flowise, an open-source platform businesses use to build AI agents. The flaw, designated CVE-2025-59528, carries a maximum CVSS severity score of 10.0 and enables remote code execution.

According to an advisory from Flowise, the weakness resides in a specific component called the CustomMCP node. This node processes configuration data for connecting to external AI servers but fails to validate JavaScript code within that data. Because the system runs with full Node.js privileges, a successful attack grants access to powerful modules for executing system commands and manipulating files. In essence, an attacker with a valid API token can take complete control of the server.

VulnCheck, the firm that published the new findings, reports exploitation attempts originating from a single Starlink IP address. They note over 12,000 instances of Flowise are exposed on the public internet, presenting a large pool of potential targets. This is the third Flowise vulnerability to see active exploitation in the wild.

"This is a critical-severity bug in a popular AI platform used by a number of large corporations," said Caitlin Condon, vice president of security research at VulnCheck. She emphasized that the vulnerability has been publicly known for over six months, giving organizations ample time to apply the patch released in version 3.0.6. The continued scanning and exploitation attempts underscore a persistent gap between patch availability and deployment in enterprise AI infrastructure.

Source: The Hackers News