Open Source, Wide Open Doors: Flowise AI Flaw Lets Hackers Walk Right In

It started with a single, silent request: a snippet of code slipped into the digital bloodstream of a Flowise AI server. Within seconds, attackers could seize control, execute commands, and plunder sensitive data - no passwords, no alarms, no human intervention. For over 15,000 servers worldwide, this nightmare is no longer theoretical. The open-source AI development platform Flowise has sprung a leak, and opportunists are already wading in.

The Anatomy of an Open Source Disaster

For organizations building AI-powered workflows, Flowise has been a go-to tool. Its open-source nature and flexibility have made it a favorite among startups and enterprises alike. But the same openness has now become its Achilles’ heel.

The vulnerability, tracked as CVE-2025-59528, is as simple as it is devastating. Buried within Flowise’s CustomMCP component, the flaw allows configuration data from users to be interpreted as executable JavaScript code. Instead of checking or sanitizing these inputs, Flowise simply hands them to the Node.js Function() constructor - essentially inviting any code sent its way to run with full permissions.

What does this mean in practice? An attacker crafts a malicious configuration, sends it to a vulnerable API endpoint, and - if the server is running Flowise version 3.0.5 or earlier - the code executes invisibly in the background. This can lead to anything from dropping unauthorized files and opening backdoors, to exfiltrating sensitive business or customer data. The attacker’s reach extends to the file system and can even spawn new system processes, effectively owning the host machine.

Security firm VulnCheck reports that exploitation has already begun, with attack traffic traced to a Starlink IP address - evidence that opportunistic hackers are scanning for and weaponizing this flaw at speed. Proof-of-concept attacks require minimal skill, making this bug a goldmine for cybercriminals and a nightmare for defenders.

This is not Flowise’s first brush with danger. Recent months have seen multiple vulnerabilities (including CVE-2025-8943 and CVE-2025-26319) exploited in the wild. The rapid-fire patch cycle underscores a critical truth: in the open-source era, transparency can become exposure overnight.

Developers have moved quickly to issue a patched version, 3.0.6, but with so many servers still running outdated software, the window for attackers remains wide open. Experts urge immediate upgrades, restricted external access, and vigilant monitoring for signs of compromise. For organizations relying on Flowise, the message is clear: patch now or risk total system breach.

Aftermath: The Human Cost of Code

As AI platforms like Flowise become the backbone of business operations, a single oversight can cascade into global crisis. The latest Flowise flaw is a stark reminder: open source isn’t just about innovation - it’s about shared responsibility. In the race to build smarter systems, security must never be left behind.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• CVSS Score: A CVSS Score rates the severity of security vulnerabilities from 0 to 10, with higher numbers indicating greater risk and urgency for response.
• Node.js: Node.js is a platform for running JavaScript outside browsers, often on servers. It can be exploited to execute malware or automate attacks.
• API Endpoint: An API endpoint is a specific web address where software systems exchange data, acting as a secure digital service window for requests and responses.
• Payload: A payload is the harmful part of a cyberattack, like a virus or spyware, delivered through malicious emails or files when a victim interacts with them.