Max Severity Flowise RCE Vulnerability Now Exploited in Attacks

The discovery of CVE‑2025‑59528 underscores a growing tension between rapid AI innovation and software security. Flowise’s drag‑and‑drop interface has lowered barriers for developers and business users to prototype LLM agents, but its open‑source nature also makes it an attractive target for threat actors seeking to leverage unchecked code execution. By allowing unvalidated JavaScript in the CustomMCP node, the flaw effectively grants attackers the same privileges as the host system, a scenario that aligns with the highest CVSS rating of 10.0 and raises red flags for any organization that embeds Flowise in customer‑facing services.

VulnCheck’s early detection of exploitation through its Canary network provides a rare glimpse into real‑world abuse of AI tooling. Although the observed activity appears limited to a single Starlink IP, the researchers estimate that between 12,000 and 15,000 Flowise instances are publicly reachable, amplifying the attack surface. This incident also coincides with active exploits of two other Flowise vulnerabilities—CVE‑2025‑8943 and CVE‑2025‑26319—suggesting a coordinated effort to weaponize the platform’s ecosystem. Enterprises that rely on Flowise for chatbot automation, knowledge‑base assistants, or internal AI agents must treat these findings as a wake‑up call to audit their deployments and verify version compliance.

The immediate mitigation is straightforward: upgrade to Flowise 3.1.1 or at least the patched 3.0.6 release. Beyond patching, organizations should enforce network segmentation, restrict public internet exposure, and implement runtime monitoring for anomalous JavaScript execution. Supply‑chain vigilance is equally critical; maintaining a hardened CI/CD pipeline for open‑source components can prevent similar vulnerabilities from slipping into production. As AI‑driven applications become core to business operations, embedding security into the development lifecycle will be essential to safeguard both data integrity and brand reputation.