### Flowise Vulnerability Exploitation According to **VulnCheck**, a maximum-severity vulnerability, **CVE-2025-59528** (CVSS score: 10.0), is being actively exploited in **Flowise**, an open-source AI platform. This code injection vulnerability allows for remote code execution. **Flowise** issued an advisory in September 2025, stating that the vulnerability resides within the CustomMCP node. This node is designed to allow users to configure settings for connecting to an external MCP (Model Context Protocol) server. > "The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server," Flowise said. "This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation." ### Technical Details and Impact Successful exploitation of **CVE-2025-59528** grants access to potentially dangerous modules such as `child_process` (for command execution) and `fs` (for file system access). As **Flowise** runs with full **Node.js** runtime privileges, attackers can execute arbitrary JavaScript code on the server. This can lead to complete system takeover, file system manipulation, command execution, and sensitive data theft. **Flowise** emphasized the severity, noting that only an API token is required for exploitation, posing a significant risk to business continuity and customer data. The vulnerability was discovered and reported by Kim SooHyun and has been addressed in version 3.0.6 of the npm package. ### In-the-Wild Exploitation **VulnCheck** reports that exploitation activity appears to originate from a single **Starlink** IP address. **CVE-2025-59528** is the third **Flowise** vulnerability observed being exploited in the wild, following **CVE-2025-8943** (CVSS score: 9.8), an operating system command remote code execution, and **CVE-2025-26319** (CVSS score: 8.9), an arbitrary file upload. Caitlin Condon, vice president of security research at **VulnCheck**, highlighted the critical nature of the bug, stating: > "This is a critical-severity bug in a popular AI platform used by a number of large corporations. This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability. The internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we're seeing more serious, as it means attackers have plenty of targets to opportunistically reconnoiter and exploit."