A critical remote code execution vulnerability in Flowise (CVE-2025-59528) is being actively exploited, allowing attackers to inject and execute arbitrary JavaScript via the CustomMCP mcpServerConfig setting. Users must upgrade to Flowise 3.1.1 (or at least 3.0.6) and remove unnecessary public exposure to prevent full system compromise. #Flowise #CVE-2025-59528
Keypoints
- CVE-2025-59528 enables arbitrary JavaScript execution through unsafe handling of mcpServerConfig in the CustomMCP node.
- Active exploitation has been observed in the wild, detected by VulnCheckโs Canary network and linked to activity from a Starlink IP.
- Additional Flowise vulnerabilities (CVE-2025-8943 and CVE-2025-26319) are also being actively exploited and listed in VulnCheckโs KEV.
- An estimated 12,000โ15,000 Flowise instances are publicly reachable, increasing the potential attack surface.
- Immediate mitigation steps are to upgrade to Flowise 3.1.1 or 3.0.6 and restrict or remove public internet access for Flowise deployments.
Read More: https://thecyberexpress.com/flowise-rce-vulnerability-cve-2025-59528/