Flowise RCE Exploited

A critical remote-code-execution flaw in Flowise, the open-source low-code platform for building AI agents and LLM workflows, is now being exploited in the wild. The bug is tracked as CVE-2025-59528. It carries a CVSS score of 10.0, the maximum. GitHub’s advisory says the vulnerable package is Flowise 3.0.5 and the fix landed in 3.0.6. NIST’s entry describes the same flaw as a server-side code-execution bug in Flowise’s CustomMCP feature (github.com, nvd.nist.gov). The reason this bug is so dangerous is painfully simple. Flowise lets users configure external Model Context Protocol servers through a CustomMCP node. In the vulnerable code path, the platform takes a user-supplied string called `mcpServerConfig` and feeds it into JavaScript’s `Function` constructor. That is effectively `eval` with better branding. GitHub’s advisory says the code runs with full Node.js privileges, which means access to modules like `child_process` and `fs`. SonicWall’s write-up traces the same path from the public API endpoint to arbitrary code execution on the host (github.com, sonicwall.com). That would already be bad if exploitation required deep access. It does not. GitHub’s advisory includes a proof of concept that uses a single POST request to `/api/v1/node-load-method/customMCP` and shows command execution by writing a file on the server. The advisory says an API token is enough. SonicWall goes further and describes the issue as exploitable by unauthenticated attackers through that same parameter, which suggests there may be internet-exposed deployments where the practical barrier is even lower than “authenticated” sounds (github.com, sonicwall.com). What turned this from a severe bug into a live operational problem is exposure. Reporting on April 7, 2026 said more than 12,000 Flowise instances were reachable from the public internet and at risk. The same reporting, citing VulnCheck, said attackers had been abusing the flaw for more than six months. Separate summaries of VulnCheck’s findings say the first observed exploitation came from a single Starlink IP address. That detail matters less as attribution than as a sign of how little infrastructure an attacker needed to start scanning and popping systems (thehackernews.com, cvemon.intruder.io, news.az). Flowise is exactly the kind of software teams expose too casually. It looks like a builder. It feels like a dashboard. In practice, it is a control plane for prompts, connectors, credentials, tools, and sometimes direct access to internal systems. That makes a bug in an “AI app builder” look a lot more like a bug in Jenkins, GitLab, or an admin console. The same public vulnerability trail shows this is not an isolated awkward edge case either. Flowise has accumulated multiple serious security issues in the past year, including other flaws that enabled command execution, privilege escalation, file upload abuse, SSRF, and account takeover in versions patched across 3.0.6 through 3.0.13 (github.com, nvd.nist.gov, wiz.io). The concrete fix for this incident is straightforward. Upgrade past 3.0.5, ideally to a current supported release, and pull any exposed Flowise instance off the public internet unless there is a very good reason it must stay there. But the larger lesson is harder to patch. The moment a no-code AI tool can run custom integrations and talk to external services, it stops being a harmless experiment. In this case, one unsafe `Function` call inside `CustomMCP.ts` was enough to turn an agent builder into a remote shell (github.com, nvd.nist.gov).