Hackers Exploit Critical Flowise RCE Bug With 10.0 CVSS Score

Threat actors are actively exploiting a maximum-severity remote code execution vulnerability in Flowise, an open-source low-code platform for building AI applications. Tracked as CVE-2025-59528, the flaw carries a CVSS score of 10.0 and allows unauthenticated attackers to execute arbitrary code with full system privileges. For developers maintaining exposed AI agent frameworks, this incident demonstrates the immediate risk of integrating external server protocols without strict input validation.

Exploitation Scope and Origins

Active in-the-wild exploitation began on April 7, 2026. Security researchers traced the initial attacks to a single Starlink IP address. This single-source origin points to a concentrated scanning campaign targeting public-facing deployments rather than a distributed botnet operation.

Between 12,000 and 15,000 Flowise instances are currently exposed to the public internet. Many of these servers remain unpatched despite a fix being available since September 2025.

This event marks the third time attackers have exploited a Flowise vulnerability in recent months. The pattern indicates a sustained focus on compromising low-code AI infrastructure.

Vulnerability	CVSS Score	Current Status
CVE-2025-59528	10.0	Active Exploitation
CVE-2025-8943	9.8	Active Exploitation
CVE-2025-26319	8.9	Active Exploitation

Root Cause in the CustomMCP Node

The vulnerability stems from a code injection flaw within the CustomMCP node. Flowise uses this component to connect applications to external servers using the Model Context Protocol.

The specific defect exists in the convertToValidJSONString function found in the CustomMCP.ts file. On lines 262 through 270, the application parses the user-supplied mcpServerConfig parameter using the JavaScript Function() constructor.

Because Function() behaves identically to eval(), it executes the input as code rather than parsing it strictly as a data object.

Payload Execution and System Impact

Attackers exploit this flaw by sending a crafted HTTP POST request to the /api/v1/node-load-method/customMCP endpoint. Unauthenticated users can reach this route if the API is exposed directly to the internet without proper access controls.

The injected payload executes with full Node.js runtime privileges. This unrestricted execution environment allows the attacker to import sensitive system modules directly.

Accessing the child_process module enables arbitrary shell command execution on the host machine. Accessing the fs module permits file system reading and writing. The combination of these capabilities leads to data exfiltration and total system compromise.

Remediation and Network Configuration

The vulnerability affects Flowise versions 2.2.7-patch.1 through 3.0.5. The development team resolved the issue in version 3.0.6 by replacing the insecure Function() call with JSON5.parse(). The updated parser ensures the application treats the configuration input safely as data.

Applying strong API keys or bearer tokens provides a necessary layer of access control. Relying solely on authentication leaves the underlying code injection flaw intact if the configuration allows public endpoint routing.

Upgrade all production instances to Flowise 3.0.6 or later immediately. Remove direct internet access to Flowise API endpoints by placing them behind a VPN or restricted access list. Inspect your application logs for any POST requests to the CustomMCP endpoint containing JavaScript keywords like process or require to determine if a breach has already occurred.