GoKawiilHackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, in the open-source platform Flowise for building custom LLM apps and agentic systems to execute arbitrary code.
The flaw allows injecting JavaScript code without any security checks and was publicly disclosed last September, with the warning that successful exploitation leads to command execution and file system access.
The problem is with the Flowise CustomMCP node allowing configuration settings to connect to an external Model Context Protocol (MCP) server and unsafely evaluating the mcpServerConfig input from the user. During this process, it can execute JavaScript without first validating its safety.
The developer addressed the issue in Flowise version 3.0.6. The latest current version is 3.1.1, released two weeks ago.
Flowise is an open-source, low-code platform for building AI agents and LLM-based workflows. It provides a drag-and-drop interface that lets users connect components into pipelines powering chatbots, automation, and AI systems.
It is used by a broad range of users, including developers working in AI prototyping, non-technical users working with no-code toolsets, and companies that operate customer support chatbots and knowledge-based assistants.
Caitlin Condon, security researcher at vulnerability intelligence company VulnCheck, announced on LinkedIn that exploitation of CVE-2025-59528 has been detected by their Canary network.
“Early this morning, VulnCheck's Canary network began detecting first-time exploitation of CVE-2025-59528, a CVSS-10 arbitrary JavaScript code injection vulnerability in Flowise, an open-source AI development platform,” Condon warned.
Although the activity appears limited at this time, originating from a single Starlink IP, the researchers warned that there are between 12,000 and 15,000 Flowise instances exposed online right now.
However, it is unclear what percentage of those are vulnerable Flowise servers.
... continue reading