Your AI Agent Has More Access Than Your Employees

Flowise Has a CVSS 10.0 RCE Under Active Exploitation. 12,000+ Instances Are Exposed.

CVE-2025-59528 is a code injection flaw in Flowise's CustomMCP node, the component that lets users configure connections to external MCP servers. The node parses user-provided config strings without security validation, executing JavaScript directly. This gives an attacker access to child_process for command execution and fs for full file system access, running with complete Node.js runtime privileges.

The entry bar is low. Only an API token is required. VulnCheck traced active exploitation to a single Starlink IP address. One attacker, 12,000+ exposed instances.

The patch landed in version 3.0.6 in September 2025. This vulnerability has been public for more than six months. The window for prioritization is gone.

Flowise is worth flagging specifically because it's not a niche tool. It's a drag-and-drop AI agent builder that enterprises use to wire LLMs to internal data, APIs, and workflows. A compromised Flowise instance isn't just a server breach — it's potential access to whatever the agents can touch: internal documents, API keys, connected databases, LLM prompts, and the logic governing how agents make decisions.

This is also the third Flowise vulnerability with in-the-wild exploitation, following CVE-2025-8943 (CVSS 9.8, OS command RCE) and CVE-2025-26319 (CVSS 8.9, arbitrary file upload). The pattern isn't a single bad bug. It's a platform with a security debt problem.

Check if Flowise is deployed in your environment. Patch to 3.0.6 or later. If it's internet-exposed, assume compromise until verified.

- Alex