Flowise AI Builder RCE Hits CVSS 10 — 12,000 Servers Exposed

A maximum-severity vulnerability in Flowise, an open-source tool for building AI agents and workflows, is under active exploitation with over 12,000 publicly accessible instances at risk. CVE-2025-59528 carries a CVSS score of 10.0—the highest possible rating—and allows unauthenticated remote code execution.

The vulnerability resides in Flowise's CustomMCP node, a component used to configure connections to external Model Context Protocol servers. The flaw is embarrassingly simple: instead of using a safe JSON parser, the CustomMCP node passes user input directly to JavaScript's Function() constructor, which is functionally identical to eval().

Attack Surface and Exploitation

Successful exploitation grants attackers access to Node.js runtime capabilities including the child_process module for executing system commands and fs for filesystem operations. In practical terms, an attacker can fully compromise a Flowise server, execute arbitrary commands, and exfiltrate any data accessible to the application.

The vulnerability affects Flowise versions 2.2.7-patch.1 through 3.0.5. Organizations running these versions should upgrade to version 3.0.6 immediately.

What makes this particularly concerning is the exposure scope. Security researchers identified over 12,000 Flowise instances exposed to the internet, many likely storing API keys, credentials, and sensitive configuration data for connected AI services. The EPSS score of 84.07% places this vulnerability in the 99.28th percentile for near-term exploitation probability.

Why AI Tooling Is a Growing Target

Flowise represents a broader trend of AI-related infrastructure becoming attack targets. As organizations rush to deploy AI agents, chatbots, and automated workflows, the security of underlying platforms often receives insufficient scrutiny. The recent exploitation of LiteLLM for credential harvesting demonstrates that attackers are actively targeting the AI development ecosystem.

These platforms frequently store high-value secrets: API keys for OpenAI, Anthropic, and other AI providers; database credentials; and integration tokens for enterprise systems. Compromising a single Flowise instance could yield access to dozens of connected services.

The CustomMCP vulnerability is particularly ironic given that Model Context Protocol (MCP) is designed to enable secure communication between AI systems and external tools. A fundamental code injection flaw in the MCP configuration handler undermines the entire security model.

Indicators of Compromise

Organizations running Flowise should check for:

• Unexpected processes spawned by the Flowise application
• Unusual outbound network connections from Flowise servers
• Modified files in the Flowise installation directory
• Unauthorized API key usage in connected AI services

Given active exploitation, assume compromise if running vulnerable versions exposed to the internet. A full credential rotation for any secrets accessible from the Flowise instance is warranted.

Broader AI Security Implications

This vulnerability highlights the security debt accumulating in the AI tooling ecosystem. Many AI development platforms are built for rapid prototyping rather than production security. The assumption that these tools will only run in development environments is increasingly invalid as organizations deploy AI agents into production workflows.

Security teams should inventory AI-related infrastructure and treat it with the same rigor applied to traditional web applications. The combination of high-value secrets, rapid development cycles, and relatively immature security practices makes AI tooling an attractive target.

For organizations evaluating AI platforms, this incident underscores the importance of security audits before deployment. The pattern of using eval() or equivalent constructs for configuration parsing is a red flag that should disqualify any platform from production use.

The Flowise maintainers have patched the vulnerability in version 3.0.6. Organizations should upgrade immediately and review logs for evidence of prior exploitation.