Threat actors are actively exploiting a maximum-severity remote code execution (RCE) vulnerability in Flowise, an open-source platform used for building AI agents and customized large language model workflows.
The critical flaw, tracked as CVE-2025-59528 with a CVSS score of 10.0, allows attackers to execute arbitrary JavaScript code and achieve full system compromise.
Threat intelligence telemetry indicates that between 12,000 and 15,000 Flowise instances are currently exposed to the public internet, creating a massive attack surface for this exploitation.
The vulnerability stems from improper input validation within the CustomMCP node of Flowise, which processes configuration settings for external Model Context Protocol (MCP) servers.
Instead of safely parsing the data, the application’s convertToValidJSONString function directly passes the user-provided mcpServerConfig string into a Function() constructor.
This design flaw treats the input as JavaScript code in the global Node.js context, allowing execution of any malicious payload with full runtime privileges.
Flowise AI Agent Builder Vulnerability
Exploiting CVE-2025-59528 requires no user interaction and can be executed over the network by sending a crafted HTTP POST request to the application’s API endpoint.
Once the payload reaches the vulnerable constructor, it accesses core Node.js modules, such as child_process, to execute underlying operating system commands.
The resulting impact is catastrophic, allowing attackers to achieve complete system takeover, access the file system, and exfiltrate sensitive business data.
A published proof-of-concept exploit demonstrates how easily attackers can weaponize this vulnerability using standard command-line tools.
By injecting a payload that calls system modules, an attacker can force the server to execute remote commands, such as writing arbitrary files to the temporary directory.
Because the exploit requires only basic network access and an API token, it poses an extreme security risk to organizations that rely on this AI framework.
In April 2026, security researchers at VulnCheck detected the first in-the-wild exploitation of this flaw, with initial attacks originating from a single Starlink IP address.
The vulnerability is now gaining significant attention in the cybersecurity community due to the high volume of exposed instances and the trivial nature of the exploit.
This incident follows previous active exploitations of other Flowise vulnerabilities, highlighting a growing pattern of targeted attacks against AI infrastructure.
Flowise versions up to 3.0.5 are vulnerable to a critical code injection flaw, which was fixed in version 3.0.6 on GitHub through proper security validation of the MCP server configuration.
Organizations hosting Flowise instances must immediately upgrade to the patched version and restrict public network access to their application APIs.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Flowise AI Agent Builder Injection Vulnerability Exploited in Attacks, 15,000+ Instances Exposed appeared first on Cyber Security News.
