Top open source AI platform Flowise hit by maximum-level security issue

News
By published

A 10/10 Flowise bug was patched, so update now

A padlock icon next to a person working on a laptop.
(Image credit: Shutterstock)
  • Flowise AI platform carried CVSS-10 arbitrary code flaw
  • Vulnerability in CustomMCP node exploited in the wild
  • Up to 15,000 exposed instances urged to update immediately

Flowise, a popular open source platform for building custom LLM apps and AI agents, carried a maximum-severity vulnerability which allowed threat actors to run arbitrary code and thus, potentially, take over entire systems.

Flowise is a low‑code platform which allows users to visually build AI workflows, chatbots and LLM‑powered applications by dragging and dropping components instead of writing code. Its GitHub project has more than 40,000 stars, and it is reported to power millions of chats and workflows across developers and companies.

In September 2025, it was discovered that version 3.0.5 contained a bug in the CustomMCP node. When users entered configuration data, the software would run it as JavaScript without checks. This let attackers execute any code on the server, including accessing files or running system commands.

Article continues below

Spotted in the wild

The vulnerability was fixed in version 3.0.6 and currently, the latest version is 3.1.1 - however, more than half a year later, security researchers spotted threat actors abusing it in the wild.

Citing Caitlin Condon from vulnerability intelligence firm VulnCheck, BleepingComputer reported the exploitation of the bug was seen in the company’s Canary network.

“Early this morning, VulnCheck's Canary network began detecting first-time exploitation of CVE-2025-59528, a CVSS-10 arbitrary JavaScript code injection vulnerability in Flowise, an open-source AI development platform,” Condon warned.

She said that the attack was limited to a single Starlink IP, but warned that it might soon expand, since there are currently up to 15,000 Flowise instances exposed to the wider internet. At least some of them are, most likely, not updated to the latest versions and, as such, vulnerable.

The best course of action would be to bring all Flowise instances to the newest version and, if possible, remove them from the public internet if it’s not necessary for everyday operations.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.