Attackers Exploit Flowise Injection Vulnerability as 15,000+ Instances Remain Exposed
A critical security flaw in Flowise, a widely used open-source AI development platform, is currently being actively exploited in the wild.
Trackable as CVE-2025-59528, this code injection vulnerability carries the maximum possible CVSS score of 10.0.
It permits remote attackers to execute malicious code and seize complete control over affected servers.
Security researchers warn that up to 15,000 Flowise instances remain publicly exposed online, creating an extremely hazardous scenario for organizations utilizing the platform.
How the Code Injection Occurs
The vulnerability’s root cause lies within Flowise’s handling of external server configurations. Specifically, it resides in the platform’s CustomMCP (Model Context Protocol) node.
When users input configuration settings to connect to an external server, the application processes this data through a specific function to build the final setup.
Unfortunately, this user-provided text is evaluated as JavaScript code without applying any security filters.
The system takes the input and directly passes it into a Node.js Function() constructor.
Given that this execution occurs with full runtime privileges, an attacker can effortlessly write malicious commands that access critical system modules like the file system and child processes.
The attack requires minimal effort to execute. An attacker only needs to send a specially crafted network request to the vulnerable API endpoint.
Once the server processes the malicious configuration string, it executes the payload in the background, granting the attacker full remote code execution.
A proof-of-concept demonstration showed how a single web request could force the server to execute arbitrary shell commands and create unauthorized files on the system.
Active Threats and Real-World Impact
The cybersecurity firm VulnCheck recently detected the first instances of live exploitation targeting this exact flaw.
According to their early warning network, the initial wave of attacks originated from a single Starlink IP address.
If successfully exploited, this code injection vulnerability leads to catastrophic consequences:
- Full compromise of the underlying host system
- Unauthorized read and write access to the file system
- Silent execution of dangerous system-level commands
- Exfiltration of sensitive business and customer data
This is not the first time threat actors have targeted this platform. Other severe Flowise vulnerabilities, such as CVE-2025-8943 and CVE-2025-26319, have also seen active exploitation in recent months.
The vulnerability impacts Flowise versions 3.0.5 and earlier. The development team has officially addressed the issue by releasing a patched version.
Security teams and network administrators must immediately upgrade their Flowise deployments to version 3.0.6 to secure their infrastructure.
Leaving these instances exposed without the patch practically guarantees a system breach, given the active scanning and exploitation currently taking place.