Active exploitation of maximum-severity code injection flaw in Flowise AI agent builder (CVE-2025-59528, CVSS 10.0)

First reported

07.04.2026 08:56

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are actively exploiting CVE-2025-59528, a maximum-severity (CVSS 10.0) code injection vulnerability in Flowise, an open-source AI agent builder platform. The flaw allows unauthenticated remote code execution via the CustomMCP node, which parses user-supplied mcpServerConfig strings without sanitization, enabling execution of arbitrary JavaScript code with full Node.js runtime privileges. Successful exploitation grants attackers access to dangerous modules (e.g., child_process, fs), leading to full system compromise, arbitrary command execution, file system access, and sensitive data exfiltration.

Timeline

07.04.2026 08:56 1 articles · 2h ago

Maximum-severity code injection flaw in Flowise AI agent builder exploited in the wild (CVE-2025-59528)
Active exploitation of CVE-2025-59528, a CVSS 10.0 code injection flaw in Flowise’s CustomMCP node, has been observed in the wild. The vulnerability allows unauthenticated remote code execution via unsanitized user input in mcpServerConfig strings, granting attackers full system access and control. Exploitation activity has been traced to a single Starlink IP address targeting at least 12,000 exposed Flowise instances, highlighting widespread exposure and the opportunistic nature of the campaign.
Show sources

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed — thehackernews.com — 07.04.2026 08:56
Open in new tab

Information Snippets

The vulnerability (CVE-2025-59528) stems from improper validation in the CustomMCP node’s parsing of user-provided mcpServerConfig strings, allowing JavaScript code injection and remote code execution.
First reported: 07.04.2026 08:56

1 source, 1 article
Show sources
- Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed — thehackernews.com — 07.04.2026 08:56
Exploitation grants full Node.js runtime privileges, including access to child_process (command execution) and fs (file system) modules, enabling complete system compromise.
First reported: 07.04.2026 08:56

1 source, 1 article
Show sources
- Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed — thehackernews.com — 07.04.2026 08:56
Flowise addressed the issue in version 3.0.6 of the npm package; the flaw was disclosed in September 2025 by the vendor, credited to researcher Kim SooHyun.
First reported: 07.04.2026 08:56

1 source, 1 article
Show sources
- Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed — thehackernews.com — 07.04.2026 08:56
Exploitation activity has been observed originating from a single Starlink IP address against exposed internet-facing instances.
First reported: 07.04.2026 08:56

1 source, 1 article
Show sources
- Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed — thehackernews.com — 07.04.2026 08:56
At least 12,000 Flowise instances remain exposed online, creating a significant and opportunistic attack surface for mass scanning and exploitation attempts.
First reported: 07.04.2026 08:56

1 source, 1 article
Show sources
- Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed — thehackernews.com — 07.04.2026 08:56

Summary

Timeline

Maximum-severity code injection flaw in Flowise AI agent builder exploited in the wild (CVE-2025-59528)

Information Snippets