Security researchers have confirmed that a critical, maximum-severity vulnerability in the open-source Flowise AI platform is now under active exploitation. The flaw, designated CVE-2025-59528, carries a Common Vulnerability Scoring System (CVSS) rating of 10.0, the highest possible score, indicating a severe and easily exploitable threat.

According to a new report from the vulnerability intelligence firm VulnCheck, threat actors are targeting this remote code execution (RCE) weakness. The vulnerability exists within a specific component of the Flowise application known as the CustomMCP node.

This node is designed to allow users to input configuration settings for connecting to various external services and models. However, a flaw in how this input is processed opens a path for code injection attacks.

Understanding the Technical Risk

The core of the issue is a code injection vulnerability. In simple terms, this means an attacker can submit specially crafted malicious code through the platform’s user interface. Instead of being treated as plain configuration data, the system mistakenly executes this code.

Successful exploitation grants the attacker the ability to run arbitrary commands on the underlying server hosting the Flowise application. This is known as remote code execution, providing attackers with full control over the compromised system.

The implications of such access are severe. Attackers could steal sensitive AI model data, credentials, and user information. They could also use the compromised server as a foothold to attack other internal network resources, or to deploy malware and ransomware.

Scale of the Exposure

The situation is compounded by the scale of the exposure. VulnCheck’s analysis indicates that more than 12,000 instances of Flowise are currently accessible on the public internet. These exposed installations represent a vast pool of potential targets for automated exploitation campaigns.

Flowise is a popular low-code tool for building customized AI workflows and chatbots. Its open-source nature and utility have led to widespread adoption by developers and businesses integrating AI capabilities. This very popularity now makes the vulnerability a high-value target for malicious actors.

The combination of a trivial exploitation path, the highest severity rating, and thousands of exposed instances creates a perfect storm for a widespread security incident. Security teams responsible for internet-facing applications are urged to prioritize this threat.

Recommended Mitigation and Response

The primary and most urgent mitigation is immediate patching. The Flowise development team has released versions 1.7.4 and 2.0.3 to address CVE-2025-59528. All users must upgrade their installations to one of these patched versions without delay.

For organizations unable to patch immediately, the workaround is to restrict network access to the Flowise application. It should not be exposed directly to the public internet. Placing it behind a virtual private network (VPN) or a strict firewall with access controls can reduce the attack surface.

Furthermore, administrators should audit their systems for any signs of compromise. This includes checking for unfamiliar user accounts, unexpected network connections, or anomalous processes running on servers hosting Flowise. Given the active exploitation, assuming compromise and verifying integrity is a prudent approach.

Broader Implications for AI Tool Security

This incident highlights the growing security challenges surrounding the rapid adoption of AI and machine learning tools. Open-source platforms, while driving innovation, require diligent security maintenance from both developers and users.

The vulnerability in a configuration node underscores how seemingly minor features can introduce critical risks. It serves as a reminder that the security of AI infrastructure is as important as the security of the models themselves.

Organizations integrating these tools into their operations must incorporate them into their standard vulnerability management and patch compliance programs. The fast-moving nature of both AI development and cyber threats demands proactive vigilance.

Looking ahead, the cybersecurity community expects exploitation attempts to increase as proof-of-concept code becomes more widely available. The Flowise team and security researchers will likely monitor attack patterns closely. Users who have not yet applied the patch should consider their instances actively targeted and take defensive action immediately to prevent data breach and system compromise.