Flowise AI Under Active Exploitation: CVSS 10.0 RCE via CustomMCP Node Hits 12,000+ Exposed Instances

A maximum-severity remote code execution vulnerability in FlowiseAI’s open-source AI agent builder is under active exploitation, with over 12,000 publicly exposed instances at risk. If you’re running Flowise anywhere in your stack, stop reading and upgrade to 3.0.6 now.

The Vulnerability

CVE-2025-59528 is a code injection flaw in Flowise’s CustomMCP node rated CVSS 10.0 — the highest possible score. It affects all versions from 2.2.7-patch.1 through 3.0.5. The bug requires no authentication and is trivially exploitable over the network.

The root cause is in the convertToValidJSONString function within CustomMCP.ts. Instead of using a safe JSON parser, the function passes user-supplied input directly to JavaScript’s Function() constructor:

1

Function('return ' + inputString)()

This is functionally identical to eval(). The vulnerable code path is reachable via the REST API endpoint /api/v1/node-load-method/customMCP, which accepts POST requests containing an mcpServerConfig parameter. The request flows through the route handler, controller, and service layers without any input validation or sanitization before reaching the dangerous Function() call.

Because this executes with full Node.js runtime privileges, an attacker gains access to child_process for arbitrary command execution and fs for filesystem access. That means full server compromise from a single unauthenticated HTTP request.

Active Exploitation

VulnCheck confirmed active exploitation in the wild, with attack traffic originating from a Starlink IP address. The exploitation is straightforward — crafted POST requests to the CustomMCP endpoint inject JavaScript payloads that spawn reverse shells or deploy persistence mechanisms.

The attack surface is substantial. Internet-facing Flowise instances have been identified in the tens of thousands, with over 12,000 confirmed exposed at the time of disclosure. Many of these are development or staging instances with no authentication layer, but production deployments running AI agent workflows are also affected.

Who’s Affected

Flowise is widely used to build LLM-powered agent workflows, RAG pipelines, and AI chatbot applications. It’s popular among teams rapidly prototyping AI features and often gets deployed with default configurations that expose the web interface directly to the internet.

If your organization runs Flowise for any of the following, you’re in the blast radius:

• Internal AI agent builders or chatbot platforms
• RAG (Retrieval-Augmented Generation) pipelines
• LLM orchestration workflows
• Any MCP-enabled AI tooling built on Flowise

The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), and the CVSS 10.0 score reflects the combination of network-accessible attack vector, zero authentication requirement, and full system compromise impact.

Mitigation

Upgrade to Flowise 3.0.6 immediately. The patch replaces the dangerous Function('return ' + inputString)() call with JSON5.parse(inputString), ensuring user input is treated as data rather than executable code.

If you cannot patch immediately:

1. Remove Flowise from the public internet. Place it behind a VPN or reverse proxy with authentication.
2. Block access to /api/v1/node-load-method/customMCP at your WAF or reverse proxy layer.
3. Audit logs for POST requests to the CustomMCP endpoint — any unexpected requests to this path should be treated as potential compromise.
4. Check for indicators of compromise: unexpected child processes spawned by the Flowise Node.js process, new cron jobs, outbound connections to unfamiliar IPs, or modifications to the filesystem outside of normal Flowise operations.

The Bigger Picture

This is another case of AI infrastructure tooling being deployed faster than it’s being secured. Flowise makes it easy to build powerful AI agent workflows, but that same ease of deployment means instances end up internet-facing with default configurations and no auth. The CustomMCP node — designed to connect to external Model Context Protocol servers — accepted arbitrary configuration strings and executed them as code. The irony of an MCP integration being the attack vector for compromising AI infrastructure won’t be lost on anyone watching the rapid expansion of the MCP ecosystem.

If you’re running any self-hosted AI tooling, now is a good time to audit what’s exposed and whether it’s actually behind authentication.

References

• CVE-2025-59528 - NVD
• GitHub Security Advisory GHSA-3gcm-f6qx-ff7p
• FlowiseAI Flowise RCE via CustomMCP Node - SonicWall
• Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation - The Hacker News