Flowise AI Vulnerability Under Active Attack: 15,000+ Instances Left Exposed

A critical security vulnerability in Flowise, a widely used open-source AI development platform, is actively being exploited by threat actors, putting thousands of systems at risk.

The flaw, tracked as CVE-2025-59528, carries a maximum CVSS score of 10.0, indicating its severe impact and ease of exploitation.

Security researchers warn that more than 15,000 publicly accessible Flowise instances remain exposed, significantly increasing the risk of widespread attacks.

The vulnerability allows remote attackers to execute arbitrary code and potentially take full control of affected servers.

The issue stems from how Flowise processes external server configurations within its CustomMCP (Model Context Protocol) component.

When users input configuration data to connect with external services, the application improperly evaluates this input as JavaScript code.

Instead of validating or sanitizing the data, the system directly passes it into a Node.js Function() constructor.

Because this code execution occurs with full runtime privileges, attackers can inject malicious payloads that interact with sensitive system components.

This includes access to the file system and the ability to spawn child processes, effectively giving attackers deep control over the host environment.

Exploitation is straightforward and requires minimal effort. An attacker can send a specially crafted request to a vulnerable API endpoint containing malicious configuration data.

Once processed, the payload executes in the background without user interaction. In proof-of-concept demonstrations, researchers showed that a single request could trigger arbitrary shell commands and create unauthorized files on the system.

Cybersecurity firm VulnCheck has already observed real-world exploitation of this vulnerability.

According to its early warning network, initial attack activity originated from a Starlink IP address, suggesting opportunistic scanning and rapid weaponization of the flaw.

If successfully exploited, the vulnerability can lead to complete system compromise. Attackers can gain unauthorized read and write access, execute system-level commands silently, and exfiltrate sensitive business or customer data.

These capabilities make the flaw particularly dangerous for organizations relying on Flowise in production environments.

This is not an isolated case. Flowise has faced multiple security issues in recent months, including CVE-2025-8943 and CVE-2025-26319, both of which were also actively exploited.

The vulnerability affects Flowise versions 3.0.5 and earlier. The developers have released a patched version, 3.0.6, to address the issue. Security teams are strongly advised to upgrade immediately.

Given the active exploitation and the large number of exposed instances, unpatched systems are highly likely to be compromised.

Organizations using Flowise should prioritize patching, restrict external access where possible, and monitor systems for signs of unauthorized activity.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Flowise AI Vulnerability Under Active Attack: 15,000+ Instances Left Exposed appeared first on Cyber Security News.