Flowise AI Patch CVE‑2025‑59528 After Remote Code Exploit

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Flowise AI Agent Builder contains a CustomMCP node that parses user‑provided mcpServerConfig strings and executes JavaScript without security validation, creating a code injection path.
- CVE-2025-59528 is assigned a CVSS score of 10.0 and allows remote code execution via arbitrary JavaScript, granting access to Node.js modules such as child_process and fs with full runtime privileges.
- Kim SooHyun discovered and reported the flaw, and Flowise released a fix in version 3.0.6 of the npm package.
- VulnCheck observed exploitation attempts originating from a single Starlink IP address, noting that the vulnerability has been public for over six months and that more than 12,000 exposed Flowise instances exist.
- Caitlin Condon of VulnCheck emphasized that the long‑standing public exposure and large attack surface make the active scanning and exploitation attempts especially serious for businesses using the platform.
Why it matters: Enterprises running Flowise AI Agent Builder face immediate risk of full system compromise, as attackers can execute arbitrary JavaScript with only an API token, threatening business continuity and data security; patching to v3.0.6 mitigates the flaw, but the large attack surface of over 12,000 exposed instances leaves many systems vulnerable.


