Critical Flowise RCE Vulnerability (CVE-2025-59528) Under Active Exploitation Threatens AI Infrastructure + Video

Listen to this Post

Featured Image

Introduction: A Silent Entry Point Into AI Systems

A newly exploited vulnerability in Flowise is raising serious concerns across the cybersecurity landscape. As organizations increasingly rely on AI-driven workflows, platforms like Flowise have become central to operations. However, this convenience now comes with risk. Attackers are actively leveraging a critical flaw that allows them to execute malicious code remotely, potentially gaining full control over affected systems. The situation highlights a growing reality: as AI platforms evolve, so do the threats targeting them.

the Original Incident

A critical security vulnerability identified as CVE-2025-59528 has been discovered and is now actively exploited in Flowise, an open-source platform designed to simplify the creation of large language model workflows and AI agents. Flowise allows users to build AI-driven applications using a visual drag-and-drop interface, eliminating the need for deep programming expertise. This accessibility has made it popular among businesses and developers, but also an attractive target for attackers.

The root cause of the vulnerability lies in the improper handling of user-supplied JavaScript within the platform’s CustomMCP node. This component is responsible for configuring connections to external MCP servers. Instead of validating user input securely, the system processes the configuration string as executable JavaScript. Specifically, the convertToValidJSONString function directly passes user input into the Function() constructor, which executes it with full Node.js runtime privileges.

This design flaw opens the door for attackers to inject arbitrary JavaScript code. Because the execution occurs in a privileged environment, malicious actors can access sensitive Node.js modules such as child_process and fs. This enables them to run system commands, access or manipulate files, and potentially exfiltrate sensitive data.

The vulnerability is particularly dangerous because exploitation requires only an API token. Once obtained, an attacker can fully compromise the system, execute commands remotely, and access confidential information. The impact extends beyond individual systems, posing risks to entire business operations and customer data integrity.

Flowise versions up to 3.0.5 are affected by this flaw. The issue was patched in version 3.0.6, released in September 2025. Despite the availability of a fix, many systems remain exposed. Security researchers observed that between 12,000 and 15,000 Flowise instances are accessible on the public internet, significantly increasing the attack surface.

Initial exploitation attempts were detected by VulnCheck, with activity traced back to a single Starlink IP address. This suggests early-stage exploitation, but the scale of exposure indicates that broader attacks could follow. The vulnerability has been publicly known for over six months, giving defenders time to apply patches, yet many systems remain unprotected.

This flaw is not an isolated case. It represents the third actively exploited vulnerability in Flowise, following two other high-severity issues earlier in 2025. The repeated emergence of critical bugs highlights systemic security challenges within rapidly evolving AI platforms.

The combination of widespread exposure, ease of exploitation, and high impact makes CVE-2025-59528 a severe threat. Organizations using Flowise must act immediately to update their systems and secure their environments against potential attacks.

What Undercode Say:

The Hidden Cost of Low-Code AI Platforms

Flowise represents a broader trend in technology: simplifying complex systems for mass adoption. While drag-and-drop AI development lowers barriers, it also introduces hidden risks. When platforms prioritize flexibility, especially allowing dynamic code execution, security often becomes an afterthought. This vulnerability is not just a bug, it is a design failure rooted in trusting user input too much.

JavaScript Injection Is Not New, But Context Matters

Executing user input through the Function() constructor is widely known as dangerous. This is not a zero-day concept but a well-documented anti-pattern. What makes this case alarming is the context, it occurs inside an AI orchestration platform that may handle sensitive enterprise workflows, APIs, and data pipelines. The impact is amplified because the environment is inherently powerful.

API Tokens as the Weak Link

The requirement of an API token for exploitation may seem like a barrier, but in reality, tokens are frequently leaked, misconfigured, or exposed through poor security practices. Once an attacker gains access to a token, the vulnerability becomes trivial to exploit. This reflects a broader issue in modern systems where authentication is assumed to be sufficient protection, even when internal logic is insecure.

The Scale Problem: Thousands of Exposed Instances

With over 12,000 publicly accessible instances, attackers do not need sophistication, they need automation. Even a low-skill attacker can scan and exploit vulnerable systems at scale. This transforms the vulnerability from a targeted threat into a mass exploitation opportunity.

Delayed Patching: A Predictable Weakness

The patch has been available since September 2025, yet exploitation is happening months later. This delay is not unusual. Organizations often struggle with patch management due to operational constraints or lack of visibility. Attackers understand this delay and time their campaigns accordingly.

AI Infrastructure Is Becoming a Prime Target

As AI systems become integrated into business operations, they are evolving into high-value targets. Compromising a platform like Flowise is not just about gaining server access, it can mean controlling automated workflows, manipulating AI outputs, or accessing integrated services.

Repeated Vulnerabilities Signal Structural Issues

This being the third exploited vulnerability in Flowise suggests deeper issues in secure development practices. It raises questions about code review processes, security testing, and the maturity of AI tooling ecosystems.

The Illusion of “Open Source Equals Secure”

Flowise being open-source does not automatically guarantee security. While transparency can improve trust, it also means attackers can study the codebase. Without active maintenance and rapid patch adoption, open-source tools can become easy targets.

Security Must Be Built, Not Added

The fundamental lesson here is clear: security cannot be layered on after functionality is complete. Features like dynamic configuration must be designed with strict validation and sandboxing from the beginning.

Fact Checker Results

✅ CVE-2025-59528 is a critical RCE vulnerability affecting Flowise versions up to 3.0.5
✅ Exploitation allows arbitrary JavaScript execution with full Node.js privileges
❌ The attack is not yet widespread globally, early activity appears limited but risky

Prediction

📊 AI development platforms will face increasing targeted attacks as adoption grows
📊 More zero-day vulnerabilities will emerge in low-code and no-code AI tools
📊 Organizations will shift toward stricter isolation and sandboxing in AI workflows

▶️ Related Video (86% Match):

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon