Flowise under alert: active operation of CVE-2025-59528 that allows remote execution of code and server control

A maximum-gravity security failure in Flowise, the open-source platform to build flows with IA models, is being actively exploited by attackers, according to the analysis of the VulnCheck firm. The defect identified as CVE-2025-59528 has a CVSS score of 10.0 and allows for the injection of code, which can result in remote execution of commands on servers running Flowise.

In essence, vulnerability is located in a node called CustomMCP, in charge of accepting the necessary configuration to connect with an MCP server (Model Context Protocol). By processing the configuration chain that the user delivers, Flowise even runs JavaScript code without security validations, which opens the door for an attacker to execute arbitrary instructions with the privileges of the Node.js environment running the application. This, in practice, allows access to dangerous modules such as child _ process to launch system commands and fs to read or modify files, exposing sensitive data and making it possible to take the server fully.

Flowise published a notification and parched the problem in version 3.0.6 of the package available in npm; the solution and the platform code can be found in its official repository in GitHub and the package page in npm. Kim SooHyun is recognized as the person who discovered and reported vulnerability.

The situation is complicated because, according to VulnCheck, exploitation on the ground is not purely theoretical: attempts have been detected from a single exit point on the Starlink network, and the public attack area of instances exposed on the Internet is large. Researcher Caitlin Condon, from VulnCheck, warned that having more than ten thousand instances accessible from the Internet increases the likelihood that attackers will sweep and exploit non-patch servers, a fact that has already happened with previous Flowise failures.

This CVE is added to other problems previously used on the platform: a remote execution of commands on the operating system and a vulnerability of arbitrary file uploading, with equally high scores. The fact that only an API token is required to interact with vulnerable functionality increases the risk for business continuity and customer and data privacy.

For teams that manage Flowise the recommendation is clear and urgent: apply the available update to the corrected version of the package, limit the public exposure of the instances and rotate exposed credentials. In addition, it is appropriate to review records for unusual activity and apply containment protections, such as restricting network access, using a web application firewall and minimizing the privileges of the Node.js process in production. Resources like OWASP's remote code execution guides can help contextualize defensive measures.

Recent incidents highlight a recurring lesson in software security: the extension and dynamic configuration capabilities in environments that run code (such as nodes that process configuration chains) must be implemented with strict controls, because any unvalidated code execution can quickly become a gap with serious consequences.

For more information and follow-up on patches and recommendations, see the official Flowise repository in GitHub https: / / github.com / FlowiseAI / Flowise / releases, the package page in npm https: / / www.npmjs.com / package / flowise and public analyses and notices of research firms such as VulnCheck. For additional context on exploitation and communication to the general public, specialized means such as The Hacker News have covered similar incidents.

If you manage Flowise instances, prioritize the update and take immediate mitigation measures: the window to reduce risk is short when there are active exploits on the network.