A maximum-severity (CVSS 10) remote code execution vulnerability in Flowise, tracked as CVE-2025-59528, is now being actively exploited. The flaw exists in the CustomMCP node, which unsafely evaluates JavaScript from the mcpServerConfig input without validation. Originally disclosed last September and patched in version 3.0.6, between 12,000 and 15,000 Flowise instances remain exposed online. Exploitation has been detected by VulnCheck's Canary network originating from a single Starlink IP. Users are urged to upgrade to version 3.1.1 immediately or remove public internet exposure if external access is unnecessary.
Table of contents
Related Articles:Sort: