BestHub
Sign in
Information Security 5 min read

Critical Flowise Flaw Enables Hackers to Compromise Thousands of AI Workflows

Researchers discovered a critical CVE‑2025‑59528 in Flowise's custom MCP node that allows arbitrary JavaScript execution, was patched in version 3.0.6, yet thousands of instances remain exposed and were actively exploited in the wild as reported by VulnCheck.

Black & White Path
Black & White Path
Black & White Path
Critical Flowise Flaw Enables Hackers to Compromise Thousands of AI Workflows

Vulnerability Overview: Arbitrary Code Execution via Custom MCP Node

Security researchers identified that attackers can inject arbitrary JavaScript into Flowise, a low‑code platform for building custom large language model (LLM) and agent workflows. The flaw resides in the design of the custom MCP node, which is rated as the highest severity.

Technical Details: Missing MCP Configuration Validation

Flowise allows users to drag a custom MCP node into a workflow and paste a JSON configuration that points to an external MCP server. In version 3.0.5 the platform fails to validate the user‑provided mcpServerConfig string. The function convertToValidJSONString passes the raw input directly to the Function() constructor, causing the input to be evaluated as JavaScript code. Because the function runs with full Node.js privileges, it can access dangerous modules such as child_process and fs, enabling remote code execution.

CVE and Patch Information

The vulnerability is tracked as CVE‑2025‑59528 . When disclosed in September 2025 it received a CVSS score of 10.0 and is classified as a "Improper Control of Generation of Code (Code Injection)" issue. The flaw was fixed in Flowise version 3.0.6, and a newer 3.1.1 release was made available the month before the report.

Attack Landscape: Hackers Target Unpatched Instances

Despite the patch being available for months, VulnCheck observed the first wild exploitation on April 6. Security research VP Caitlin Condon warned on LinkedIn that a Canary network detected active exploitation of CVE‑2025‑59528 originating from a single Starlink IP. She estimated that roughly 12,000–15,000 Flowise instances remain exposed on the public internet, though it is unclear how many are still running the vulnerable version.

Related Vulnerabilities

Condon also highlighted two additional critical Flowise issues: an authentication bypass (CVE‑2025‑8943) and an arbitrary file‑upload flaw (CVE‑2025‑26319). Exploit payloads, PCAP files, YARA rules, network signatures, and details about the targeted Docker containers have been shared with Canary Intelligence customers.

Hackers exploit a critical Flowise flaw affecting thousands of AI workflows

Source: freebuf

FlowiseAI workflow securityArbitrary code executionCVE-2025-59528MCP node
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment