Back

Critical RCE Vulnerability in Flowise Exploited by Hackers

Severity: High (Score: 75.0)

Sources: Bleepingcomputer

Summary

A maximum-severity vulnerability, CVE-2025-59528, in the Flowise platform is being actively exploited by hackers to execute arbitrary JavaScript code. This flaw, which allows for command execution and file system access, was publicly disclosed in September 2025. The vulnerability arises from the Flowise CustomMCP node, which improperly evaluates user input without security checks. As of now, exploitation has been detected by VulnCheck's Canary network, with activity traced back to a single Starlink IP address. There are currently between 12,000 and 15,000 Flowise instances exposed online, although the exact number of vulnerable servers is unknown. Users are urged to upgrade to version 3.1.1 or at least 3.0.6 to mitigate the risk. Additional vulnerabilities, CVE-2025-8943 and CVE-2025-26319, also affect Flowise and are being exploited in the wild. The situation remains critical as the potential for widespread exploitation exists. Key Points: • CVE-2025-59528 allows arbitrary code execution in Flowise due to unsafe input evaluation. • Exploitation has been detected, with 12,000 to 15,000 Flowise instances exposed online. • Users are strongly advised to upgrade to the latest version to protect against attacks.

Key Entities

  • Remote Code Execution (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2025-26319 (cve)
  • CVE-2025-59528 (cve)
  • CVE-2025-8943 (cve)
  • T1059.007 - JavaScript (mitre_attack)
  • Flowise (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed