Critical Remote Code Execution in Flowise (CVE‑2025‑59528) Threatens AI Workflow Platforms
What It Is – Flowise, an open‑source platform for building LLM‑driven workflows, contains a critical remote‑code‑execution flaw (CVE‑2025‑59528). The vulnerability stems from the CustomMCP node’s convertToValidJSONString function, which passes user‑supplied configuration directly to the JavaScript Function() constructor, allowing execution of arbitrary code with full Node.js privileges.
Exploitability – The flaw scores a perfect CVSS 10.0 and is actively exploited in the wild. Threat intel (VulnCheck) observed exploitation from a single Starlink IP targeting 12‑15 k online instances. No public PoC is required; an attacker only needs a valid Flowise API token.
Affected Products – Flowise versions ≤ 3.0.5 (all OSes). The issue was patched in v3.0.6 (Sep 2025).
TPRM Impact – Organizations that embed Flowise in their AI pipelines risk full system compromise, data exfiltration, and disruption of downstream services. The open‑source nature means many third‑party SaaS providers may be unknowingly running vulnerable instances, expanding the supply‑chain attack surface.
Recommended Actions –
- Upgrade immediately to Flowise 3.0.6 or later.
- Rotate all API tokens used with Flowise deployments.
- Conduct a code‑review of custom nodes for unsafe
eval/Functionusage. - Apply network segmentation and restrict outbound connections from Flowise servers.
- Enable runtime monitoring for unexpected
child_processorfsactivity and set up alerts.
Source: Security Affairs