# Flowise AI Platform Faces Critical RCE Vulnerability as 12,000+ Instances Come Under Active Attack


## The Threat


Threat actors are actively exploiting a maximum-severity code injection vulnerability in Flowise, a popular open-source AI agent builder platform used by enterprises and developers worldwide. The flaw, tracked as CVE-2025-59528 with a perfect CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary code on vulnerable systems with minimal effort.


The vulnerability resides in Flowise's CustomMCP node, a component that enables users to configure settings for connecting to external services and AI models. The node fails to properly validate or sanitize user input before executing it, creating a direct pathway to remote code execution. An attacker can inject malicious code through the configuration interface and gain complete control over the affected instance, potentially leading to data theft, lateral movement within networks, or deployment of persistent backdoors.


VulnCheck researchers have documented active exploitation in the wild, with over 12,000 exposed Flowise instances currently at risk. The high accessibility of the vulnerable component—often exposed directly to the internet in development and production environments—combined with the trivial attack complexity required makes this one of the most dangerous application-layer vulnerabilities discovered in 2025.


## Severity and Impact


| Attribute | Value |

|---|---|

| CVE Identifier | CVE-2025-59528 |

| CVSS v3.1 Score | 10.0 (Critical) |

| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |

| Attack Vector | Network |

| Attack Complexity | Low |

| Privileges Required | None |

| User Interaction | None |

| Scope | Unchanged |

| Confidentiality Impact | High |

| Integrity Impact | High |

| Availability Impact | High |

| CWE Category | CWE-94 (Improper Control of Generation of Code) |


The perfect CVSS score reflects the vulnerability's worst-case characteristics: it requires no authentication, can be triggered remotely over the network, demands no user interaction, and grants attackers complete system compromise with no limitations.


## Affected Products


Flowise AI Agent Builder

  • All versions prior to and including the vulnerable release
  • Open-source deployments (GitHub-hosted)
  • Cloud deployments using vulnerable versions
  • Enterprise installations without patching

    • Specific components at risk:

  • Flowise web application with exposed CustomMCP node interface
  • Any Flowise instance accessible from the internet
  • Flowise deployments running in containerized environments (Docker)
  • Flowise instances integrated with third-party AI platforms (OpenAI, Anthropic, LLaMA, etc.)

    • ## Mitigations


    Immediate actions required:


    1. Apply Security Updates: Check the Flowise GitHub repository immediately for patched releases. Update to the latest version that addresses CVE-2025-59528. If you're running a containerized deployment, rebuild your image with the patched version.


    2. Network Segmentation: If immediate patching is not possible, restrict network access to Flowise instances. Implement firewall rules that limit access to the CustomMCP configuration endpoint to trusted IP addresses or trusted internal networks only. Do not expose Flowise directly to the internet without additional authentication layers.


    3. Disable Unnecessary Features: If your organization does not use the CustomMCP node functionality, disable or remove it from your deployment. This eliminates the attack surface entirely.


    4. Web Application Firewall (WAF): Deploy or update WAF rules to monitor and block suspicious payloads targeting the CustomMCP configuration interface. Look for code injection patterns, command syntax, and script payloads in request parameters.


    5. Authentication and Access Control: Implement strong authentication mechanisms in front of Flowise, such as:

    - OAuth 2.0 or SAML 2.0 integration

    - Multi-factor authentication (MFA)

    - IP whitelisting combined with VPN access

    - API key validation for programmatic access


    6. Monitoring and Detection: Enable comprehensive logging on Flowise instances to capture configuration changes, API calls, and code execution attempts. Ingest logs into a SIEM platform and create alerts for:

    - Unexpected changes to CustomMCP settings

    - Suspicious function calls or system commands in payloads

    - Unusual network connections originating from the Flowise instance


    7. Incident Response: If you suspect your Flowise instance has been compromised, immediately:

    - Isolate the affected system from the network

    - Preserve logs and evidence for forensic analysis

    - Scan for persistence mechanisms (scheduled tasks, cron jobs, backdoors)

    - Audit account access and API tokens for unauthorized usage


    ## References


  • Flowise GitHub Repository: https://github.com/FlowiseAI/Flowise
  • CVE-2025-59528 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-59528
  • VulnCheck Research: Check VulnCheck's vulnerability database for detailed exploitation analysis
  • Flowise Security Advisory: Monitor official Flowise documentation and GitHub releases for patch announcements

    • ---


    Bottom Line: This is not a theoretical vulnerability—threat actors are actively exploiting CVE-2025-59528 right now against thousands of exposed instances. Organizations running Flowise must treat this as a critical priority. Patch immediately, restrict network access, and implement detective controls to identify any successful exploitation attempts. If you're evaluating Flowise for future deployment, defer implementation until this vulnerability is resolved and security practices are hardened.