Cybersecurity researchers are warning of active exploitation of a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-59528, in the open-source low-code platform Flowise. The platform is widely used for building custom large language model (LLM) applications and agentic AI systems. The flaw, which carries a maximum severity rating, allows unauthenticated attackers to inject and execute arbitrary JavaScript code on vulnerable instances without any security checks. Successful exploitation grants attackers the ability to execute system commands and gain direct access to the underlying file system, posing a severe risk to data integrity and confidentiality.
The vulnerability resides within Flowise's CustomMCP (Model Context Protocol) node. This component is designed to allow configuration settings for connecting to an external MCP server. The security weakness stems from the unsafe evaluation of user-supplied input in the `mcpServerConfig` parameter. During this process, the node executes JavaScript code without performing prior validation or sanitization, creating a direct path for code injection. The issue was publicly disclosed in September of last year alongside warnings that it could lead to complete system compromise. The Flowise development team addressed the vulnerability in version 3.0.6, with the latest patched version being 3.1.1, released approximately two weeks ago.
Flowise has gained significant traction as a drag-and-drop, visual programming interface that enables both developers and non-technical users to construct AI-powered workflows, chatbots, and automation systems. Its user base spans AI developers for rapid prototyping, enterprises deploying customer support bots, and organizations utilizing no-code toolsets for knowledge management. The active exploitation of this flaw underscores the heightened risk to a broad ecosystem, particularly where instances remain unpatched. Organizations are urged to immediately upgrade to Flowise version 3.0.6 or later to mitigate the threat.
The exploitation of CVE-2025-59528 occurs amidst a concerning landscape of other critical threats. Recent campaigns have seen hackers leveraging the "React2Shell" vulnerability in automated credential theft operations, while a sophisticated npm supply chain attack used a fake Microsoft Teams error fix to hijack a maintainer's account. Additionally, a new flaw in Fortinet's FortiClient EMS has been exploited, prompting an emergency patch, and device code phishing attacks have surged 37-fold due to the proliferation of new attack kits online. This context, combined with the FBI's report that Americans lost a record $21 billion to cybercrime last year, highlights the critical need for proactive vulnerability management and timely patching of internet-facing applications like Flowise.
