15,000.
That’s roughly how many Flowise instances dangle in public view right now, ripe for the picking after hackers lit the fuse on CVE-2025-59528.
A perfect 10 on the CVSS scale—arbitrary code execution via JavaScript injection. Caitlin Condon at VulnCheck spotted it first thing this morning through their Canary network.
“Early this morning, VulnCheck’s Canary network began detecting first-time exploitation of CVE-2025-59528, a CVSS-10 arbitrary JavaScript code injection vulnerability in Flowise, an open-source AI development platform.”
She’s not wrong to sound the alarm. This isn’t some theoretical poke; it’s command execution, file system rummaging, the whole hacker’s delight.
How Does a Drag-and-Drop AI Tool Let Code Run Wild?
Flowise? It’s the low-code darling for stitching together LLM apps and agentic workflows—chatbots, automations, that drag-and-drop magic non-devs crave. Think Zapier meets LangChain, open-source and free.
But here’s the screw-up: the CustomMCP node. It’s meant to hook into external Model Context Protocol servers, pulling in configs from users. Except—no safety net. It slurps that mcpServerConfig input and evals it as JavaScript, raw and unchecked.
Eval. In 2025. On a platform powering customer support bots. Yikes.
Disclosed last September, patched in 3.0.6, latest is 3.1.1 from two weeks back. Yet those 15,000 exposed boxes? Who knows how many limp on ancient versions.
And it’s not alone. This exploit joins CVE-2025-8943 and CVE-2025-26319—also Flowise bugs with in-the-wild pokes. VulnCheck’s holding exploit samples and YARA rules close to the chest for paying customers only.
Look, the activity’s slim so far—one IP, Starlink flavor, probably a lone wolf testing waters. But max-severity RCE in AI tooling? That’s not a splash; it’s a siren.
Why’s Flowise a Hacker Magnet in the Agentic AI Rush?
Blame the architecture—or lack of it. Flowise thrives on user-supplied inputs flying straight into execution pipelines. No-code means trusting the crowd, but crowds build sloppy, and hackers love sloppy.
Here’s my angle the press releases miss: this echoes the early WordPress plugin era, circa 2010. Drag-and-drop exploded; security lagged. Thousands of sites pwned because devs prioritized features over filters. Now swap PHP for JS eval in AI agents—same vibe, higher stakes.
Agentic systems? They’re the next boom. Autonomous AI that acts, not just chats. Flowise pipelines those agents. One injected script, and your bot’s not assisting customers—it’s exfiltrating data or mining crypto.
Companies running support chatbots? Prototypers chaining LLMs? If it’s public-facing without patches, you’re betting on obscurity. And obscurity’s dying fast.
Patch to 3.1.1, stat. Better yet, yank it off the public net unless you need it. Firewalls? Sure, but BAS tools show most controls crumble here.
Is Your Flowise Setup Next on the Hit List?
VulnCheck’s canaries pinged from a single Starlink beam—mobile, ephemeral, perfect for opsec-conscious attackers. Limited now, but scans will follow. Shodan lights up those 12k-15k endpoints; bots don’t sleep.
Non-technical users love Flowise’s no-sweat interface. That’s the hook—and the hook for phishers. Imagine a SaaS wrapper around this, marketed to SMBs. One unpatched deploy, and boom: RCE foothold into your infra.
Developers, check your prototypes. That side project agent? If it’s demo’d publicly, kill it. The ‘how’ here is trivial: craft a malicious MCP config, POST it, watch eval() unleash hell.
Prediction: by quarter’s end, we’ll see ransomware crews bundling this into kits. AI tooling’s hot; vulns in it pay.
Flowise’s Other Open Wounds
Don’t sleep on the siblings. CVE-2025-8943 and CVE-2025-26319? Actively exploited too. Flowise’s changelog reads like a vulnerability diary—rushed features, thin validation.
It’s the open-source tax. Popularity breeds eyes, good and bad. Flowise hit stride in the LLM frenzy; maintainers scrambled. Result? Config eval without sanitization. Basic stuff, overlooked.
Corporate spin? Flowise devs fixed it quick—props. But 15k exposed screams adoption outpacing audits. No-code AI’s double-edged: empowers fast, breaks faster.
🧬 Related Insights
- Read more: Three China-Aligned Hack Clusters Pile Onto One Southeast Asian Government Network
- Read more: Leaked Cellebrite Matrix Names Pixel 6-9 Models Ripe for Hacking
Frequently Asked Questions
What is CVE-2025-59528 in Flowise?
Max-severity RCE letting attackers inject and run JavaScript via the CustomMCP node’s unsafe config eval. Leads to full command execution.
How do I fix Flowise RCE vulnerability?
Upgrade to 3.1.1 immediately. Lock down public access; use VPNs or private nets for external MCP hooks.
Are other Flowise CVEs being exploited?
Yes—CVE-2025-8943 and CVE-2025-26319 see wild activity too. Patch everything; scan your instances.
