Flowise AI platform hit by maximum-severity RCE flaw

Craig Nash
By
Craig Nash
Tech writer at All Things Geek. Covers artificial intelligence, semiconductors, and computing hardware.
7 Min Read
Flowise AI platform hit by maximum-severity RCE flaw

The Flowise AI platform is under active attack from a maximum-severity remote code execution vulnerability that grants attackers complete control over vulnerable servers. CVE-2025-59528, scored 10.0 on the CVSS scale, allows arbitrary code execution, unrestricted file system access, and spawning of child processes through malicious API requests targeting the CustomMCP (Model Context Protocol) component. The Flowise AI platform vulnerability affects versions 3.0.5 and earlier; a patch exists in version 3.0.6, yet exploitation continues unabated.

Key Takeaways

  • CVE-2025-59528 is a CVSS 10.0 remote code execution flaw in Flowise versions 3.0.5 and earlier, patched in 3.0.6.
  • Over 12,000-15,000 publicly exposed Flowise instances online, many potentially vulnerable to attack.
  • Active exploitation detected by VulnCheck’s Canary network originating from a single Starlink IP address.
  • Only an API token is required for exploitation; no user interaction needed for successful attack.
  • Third critical Flowise vulnerability with in-the-wild exploitation in recent months.

Why This Flowise AI Platform Vulnerability Matters Now

Active exploitation of this flaw began within days of public disclosure, according to VulnCheck’s threat intelligence. The Flowise AI platform is used by large corporations to build custom large language model applications and AI agents, making the attack surface particularly valuable to threat actors. Caitlin Condon, VP of Security Research at VulnCheck, stated: “This is a critical-severity bug in a popular AI platform used by a number of large corporations… the internet-facing attack surface area of 12,000+ exposed instances makes the active scanning and exploitation attempts we’re seeing more serious”.

What makes this Flowise AI platform vulnerability exceptionally dangerous is the minimal barrier to exploitation. An attacker needs only a valid API token to craft a single malicious request that executes arbitrary JavaScript code in the background. No user interaction, no social engineering, no multi-stage attack chain—just a token and a payload. The Flowise team acknowledged the risk: “As only an API token is required, this poses an extreme security risk to business continuity and customer data”.

The Broader Pattern of Flowise AI Platform Weaknesses

This is not the first critical flaw to plague Flowise. In recent months, the platform has been hit by CVE-2025-8943 (CVSS 9.8, OS command remote code execution) and CVE-2025-26319 (CVSS 8.9, arbitrary file upload), both with active exploitation detected in the wild. The frequency of maximum-severity vulnerabilities in a single open-source AI platform raises questions about the security maturity of the codebase and the development team’s vulnerability response processes.

VulnCheck’s Canary network detected the first exploitation attempts early in the disclosure period, originating from a single Starlink IP address. The activity appeared opportunistic—scanning for vulnerable instances rather than targeting specific organizations. This suggests attackers are systematically probing the internet for exposed Flowise deployments, making rapid patching a matter of operational urgency for any organization running affected versions.

How Flowise AI Platform Vulnerability Compares to Related Platforms

While Flowise dominates headlines for this particular flaw, the broader AI platform ecosystem faces similar pressures. Platforms like n8n have also appeared in security statistics for exposed infrastructure, indicating that low-code AI and automation tools are attractive targets due to their internet-facing APIs and direct access to backend systems. The difference is not necessarily that Flowise is uniquely insecure, but that its vulnerability disclosure and active exploitation have drawn more public scrutiny.

The speed of patch availability—version 3.0.6 was released and is available via npm—demonstrates Flowise’s ability to respond. However, the persistence of exploitation despite the patch being public for months underscores a critical gap: many organizations either do not monitor their Flowise deployments, lack automated update mechanisms, or are unaware they are running vulnerable versions.

What Organizations Should Do Immediately

Any organization running Flowise versions 3.0.5 or earlier should treat this as a priority-one incident. The Flowise AI platform vulnerability requires immediate upgrade to version 3.0.6 or later. If immediate patching is not possible, restricting API access to trusted networks and rotating API tokens should be considered interim measures, though these do not eliminate the risk.

The 12,000-15,000 publicly exposed instances detected by vulnerability scanners represent a significant attack surface. Many of these deployments may belong to small teams, startups, or internal projects that lack dedicated security operations, making them ideal targets for opportunistic attackers.

Is the Flowise AI platform vulnerability actively being exploited right now?

Yes. VulnCheck’s threat intelligence network detected active exploitation beginning shortly after public disclosure, originating from a single Starlink IP address conducting opportunistic scanning. The attacks are ongoing and targeting publicly exposed instances.

What versions of Flowise are affected by this vulnerability?

Flowise versions 3.0.5 and earlier are vulnerable to CVE-2025-59528. Version 3.0.6 and later contain the security patch.

Can the Flowise AI platform vulnerability be exploited without authentication?

No, but the authentication requirement is minimal. An attacker needs only a valid API token, which is a standard credential used by any application integrating with Flowise. No user interaction or advanced social engineering is required.

The Flowise AI platform vulnerability represents a critical inflection point for open-source AI tooling. When maximum-severity flaws persist in active exploitation months after patching, the issue is not the vulnerability itself—it is the deployment and maintenance practices of the broader community. Organizations must move beyond treating open-source AI platforms as set-and-forget infrastructure and adopt rigorous patch management, network segmentation, and continuous monitoring. Until they do, vulnerabilities like CVE-2025-59528 will continue to offer attackers easy access to systems controlling sensitive business logic and data.

Edited by the All Things Geek team.

Source: TechRadar

Share This Article
Tech writer at All Things Geek. Covers artificial intelligence, semiconductors, and computing hardware.