Everyone figured Flowise would keep chugging along as the go-to for whipping up AI agents — low-code magic for devs tired of wrestling APIs. Quick setups, drag-and-drop nodes, boom: your chatbot’s alive. But here’s the gut punch. Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation has flipped the script, exposing over 12,000 internet-facing instances to what could be total server takeovers.
And it’s not theoretical. VulnCheck spotted real probes from a lone Starlink IP — opportunistic scans turning into exploits.
Look, AI platforms promised speed over everything. Flowise, built on Node.js, lets you chain ‘nodes’ for agentic workflows: fetch data, call LLMs, spit out actions. Sounds slick. But that CustomMCP node? Total disaster.
How Did Flowise Let JS Code Run Wild?
Flowise’s advisory nails it:
“The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server,” Flowise said in an advisory released in September 2025. “This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation.”
No validation. Zilch. You feed it a config string — just an API token away — and it evals your JavaScript straight into the Node runtime. Suddenly, attackers spawn child_process for shell commands, rummage fs for files, exfiltrate secrets. Full privileges, no sandbox. It’s like handing over the keys to your data center because someone said ‘trust me’ in a config field.
Why build it this way? Architectural shortcut. Flowise chased flexibility for power users tweaking MCP servers on the fly. Eval the config, connect smoothly — or so they thought. But Node.js’s dynamic nature bites back hard. Remember the 2010s npm ecosystem? Packages eval’ing user input left enterprises leaking creds. Flowise echoes that chaos, but now with AI agents handling customer data.
My take — and this is the insight headlines miss: this isn’t isolated sloppiness. It’s the Node.js wild west colliding with AI hype. Agent builders prioritize rapid iteration over ironclad isolation. Expect copycats: LangChain, Haystack, anyone eval’ing configs? We’ve entered an AI supply-chain era akin to SolarWinds, but decentralized across 1000s of OSS repos. Bold prediction: by 2026, we’ll see nation-states chaining these RCEs into botnets for AI data poisoning.
Why 12,000 Instances? The Exposure Math
VulnCheck’s Caitlin Condon cuts through:
“This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability. The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we’re seeing more serious, as it means attackers have plenty of targets to opportunistically reconnoiter and exploit.”
Six months post-patch (version 3.0.6). Still 12k exposed. Shoddy.
Blame the usual suspects. Devs spin up Flowise on cloud VMs for PoCs — AWS, DigitalOcean — forget firewalls, expose port 3000. No auth beyond tokens. Large corps? Using it internally but misconfiguring prod.
Starlink IP adds intrigue. Mobile? Tor-like evasion? Or just a hacker in a van? Point is, one actor’s probing means others will follow. Flowise’s third exploited flaw this year — CVE-2025-8943 (OS command RCE), CVE-2025-26319 (file upload). Pattern screams: rush to AI market, security last.
But wait — Flowise calls it out: “As only an API token is required, this poses an extreme security risk to business continuity and customer data.” Credit to researcher Kim SooHyun. Still, their PR spins ‘fixed quick’ while instances linger.
Who’s Running Exposed — And What Happens Next?
Scan tools like Shodan peg those 12k: mostly small setups, but VulnCheck flags big corps too. Imagine your CRM agent exfiling leads. Or worse, pivoting to internal nets.
Architecturally, this shifts everything. AI agents aren’t chatbots — they’re actors with tools. RCE means tool abuse at scale. Why? Because platforms like Flowise bake in Node’s power without WASM isolation or seccomp. Shift needed: mandatory sandboxes per-node, like Deno’s origins but enforced.
Critique time. Flowise’s advisory? Solid on details, weak on urgency. No forced upgrades, no deprecation warnings. Corporate users pat themselves on the back for ‘open source,’ ignore scanners. Wake up.
So, patch to 3.0.6. Run censys/shodan queries. Firewall 3000. Audit tokens. But deeper: rethink agent builders. Are they secure-by-design, or hype traps?
This Starlink saga? Tip of the iceberg. AI’s gold rush breeds vulns. Flowise proves: speed kills if security lags.
Is Flowise Still Safe for Production?
Short answer: barely. Patched instances? Yes, if you’re vigilant. But history — three RCEs exploited — screams audit everything. Migrate? Haystack or custom stacks might fare better, but check their evals too.
Exploitation timeline matters. Public Sept 2025, active now. Defenders slept.
Why Does This Hit AI Hardest?
Agents chain actions — RCE amplifies. One vuln, and your ‘smart’ workflow’s a backdoor. Enterprises betting on these? Reassess.
🧬 Related Insights
- Read more: Mercor Breach Exposes TeamPCP’s LiteLLM Rampage in Real Time
- Read more: GrafanaGhost: The AI Backdoor Turning Data Dashboards into Spy Tools
Frequently Asked Questions
What is CVE-2025-59528 in Flowise?
It’s a CVSS 10.0 code injection flaw in the CustomMCP node that lets attackers run arbitrary JavaScript, leading to RCE via modules like child_process and fs.
How to fix Flowise RCE vulnerability?
Upgrade to Flowise npm package version 3.0.6 or later, restrict port 3000 access, rotate API tokens, and scan for exposed instances with Shodan.
Are there active exploits against Flowise?
Yes, VulnCheck reports scanning and exploitation attempts from a single Starlink IP against 12,000+ exposed instances.
