Critical RCE in Flowise (CVE‑2025‑59528) Exploited in the Wild Threatens AI Development Platforms
What It Is — Flowise, an open‑source low‑code platform for building LLM‑driven agents, contains a maximum‑severity (CVSS 10) remote code execution flaw (CVE‑2025‑59528). The vulnerability resides in the CustomMCP node, which evaluates user‑supplied mcpServerConfig JavaScript without validation, allowing arbitrary code execution and file‑system access.
Exploitability — Active exploitation has been confirmed by VulnCheck’s Canary network, with malicious traffic observed from a single Starlink IP. Exploit samples, YARA rules, and network signatures are already being shared with customers.
Affected Products — Flowise ≤ 3.0.5 (all versions prior to 3.0.6). The issue is patched in 3.0.6; the current stable release is 3.1.1.
TPRM Impact —
- Third‑party AI services built on vulnerable Flowise instances can become a conduit for ransomware, data exfiltration, or supply‑chain compromise.
- Up to 15 k publicly exposed Flowise deployments increase the attack surface for any organization that integrates these instances into its workflow.
Recommended Actions —
- Verify Flowise version across all owned or vendor‑managed environments.
- Upgrade immediately to 3.1.1 (or at minimum 3.0.6).
- Restrict external network access to Flowise nodes; place them behind VPN or zero‑trust controls.
- Deploy VulnCheck‑provided YARA/network signatures or equivalent IDS/IPS rules.
- Conduct a focused asset inventory of AI/LLM tooling to assess downstream supply‑chain exposure.
Source: BleepingComputer