Unfiltered Access: Flowise AI Tool’s Critical Flaw Now Weaponized by Hackers

It began with a whisper on the dark web, but now it’s out in the open: Flowise, the darling of AI tinkerers and enterprises alike, is under active attack. A flaw so severe it scores a perfect 10 on the industry’s risk scale has become a golden ticket for hackers seeking to hijack servers and run their own code - remotely, silently, and with terrifying ease.

Fast Facts

• Critical RCE Flaw: CVE-2025-59528 allows attackers to inject and execute arbitrary JavaScript code on Flowise servers.
• Active Exploitation: First observed attacks began recently, with activity traced to a Starlink IP address.
• Widespread Exposure: Up to 15,000 Flowise instances are accessible on the internet; unknown how many are vulnerable.
• Patched Versions: Issue fixed in Flowise v3.0.6 and above; latest release is v3.1.1.
• Broader Threat: Other vulnerabilities (CVE-2025-8943, CVE-2025-26319) are also being exploited in the wild.

Flowise’s promise - a drag-and-drop platform for building chatbots, AI agents, and automated workflows - has made it a favorite among both seasoned developers and newcomers to artificial intelligence. But that very accessibility has also made it a high-value target. The vulnerability, CVE-2025-59528, lurks in the system’s CustomMCP node, where user-supplied configuration data is accepted with no meaningful security checks. This oversight allows attackers to slip in malicious JavaScript, opening the door to remote code execution (RCE) and full file system access.

The issue first surfaced in September, but only now have real-world attacks been detected. VulnCheck, a vulnerability intelligence firm, sounded the alarm after their Canary network picked up the first signs of exploitation. Though the initial activity appears limited - originating from a single Starlink IP - the implications are vast. With tens of thousands of Flowise instances exposed online, the window for mass exploitation is wide open.

The Flowise development team moved quickly, patching the flaw in version 3.0.6. However, as is often the case in the open-source world, not all users have caught up. Many continue to run older, vulnerable versions, unwittingly offering hackers an easy way in. Complicating matters, Flowise is used in critical business operations, including customer support bots and internal knowledge assistants - prime targets for attackers seeking sensitive data or a foothold for further compromise.

Security experts recommend immediate upgrades to the latest version (3.1.1) or at the very least, version 3.0.6. They also urge users to remove public internet access to Flowise instances wherever possible. Meanwhile, exploit details and detection tools remain closely guarded by security firms, shared only with select customers.

As Flowise’s user base grapples with the fallout, the episode is a stark reminder: in the race to democratize AI development, even the most innovative tools can become double-edged swords. Vigilance, timely patching, and a clear-eyed view of risk are more crucial than ever.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• JavaScript Injection: JavaScript injection is a hacking method where attackers insert malicious code into web apps to steal data, hijack sessions, or alter content.
• Open: 'Open' means software or code is publicly available, allowing anyone to access, modify, or use it - including for malicious purposes.
• Patch: A patch is a software update released to fix security vulnerabilities or bugs in programs, helping protect devices from cyber threats and improve stability.
• YARA Rules: YARA rules are patterns used by security tools to detect malware, helping analysts identify threats by matching specific characteristics in files or memory.