Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
تنبيه خطير: منصة Flowise AI Builder كتواجه استغلال فعلي لثغرة أمنية بدرجة خطورة 10.0 (CVSS)
Critical Alert: Flowise AI Builder Faces Active Exploitation of CVSS 10.0 Vulnerability
TL;DR
Threat actors are actively exploiting a maximum-severity code injection vulnerability (CVE-2025-59528, CVSS 10.0) in Flowise, a popular open-source AI agent builder. With over 12,000 instances exposed to the internet, attackers are leveraging a flaw in the CustomMCP node to gain full remote code execution (RCE). Users are urged to update to version 3.0.6 immediately.
Overview of CVE-2025-59528
Security researchers at VulnCheck have identified active exploitation of a critical security flaw in Flowise, an open-source platform used by numerous large corporations to build AI agents.
The vulnerability, tracked as CVE-2025-59528, carries a perfect CVSS score of 10.0, indicating the highest possible level of severity. The flaw is a code injection vulnerability rooted in how the platform handles configuration settings for external Model Context Protocol (MCP) servers.
Technical Breakdown: The CustomMCP Node
According to an advisory released by Flowise, the vulnerability exists within the CustomMCP node. This node allows users to build MCP server configurations by inputting a mcpServerConfig string.
The security breakdown occurs during the parsing process:
- Unvalidated Execution: The platform executes JavaScript code from the user-provided string without any security validation.
- Full Privileges: Because the code runs with full Node.js runtime privileges, an attacker can access dangerous modules, including
child_process(for system command execution) andfs(for file system access). - Minimal Requirements: Flowise noted that an attacker needs only an API token to weaponize this flaw, making it an extreme risk to business continuity and sensitive customer data.
Active Exploitation and Impact
VulnCheck reports that exploitation attempts have already been observed in the wild. Interestingly, current activity has been traced back to a single Starlink IP address.
Despite the vulnerability being public since September 2025, the threat remains high due to the vast attack surface. "The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we're seeing more serious," said Caitlin Condon, vice president of security research at VulnCheck.
This is not the first time Flowise has been targeted. This flaw marks the third "in-the-wild" exploitation for the platform, following:
- CVE-2025-8943 (CVSS 9.8): OS command remote code execution.
- CVE-2025-26319 (CVSS 8.9): Arbitrary file upload.
Remediation
The vulnerability was discovered and reported by researcher Kim SooHyun. Flowise has released a fix to address the issue.
Recommended Action: All organizations using Flowise must update their installations to version 3.0.6 of the npm package immediately to mitigate the risk of full system compromise and data exfiltration.
Conclusion
As AI integration becomes standard in corporate environments, platforms like Flowise become high-value targets for threat actors. The combination of a CVSS 10.0 rating and over 12,000 exposed instances creates a significant window of opportunity for attackers. Security teams should prioritize patching this vulnerability to protect their internal file systems and sensitive AI configurations.
Source: https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html
