Flowise Critical Vulnerability - Hackers Inject JavaScript
Active exploitation or massive impact — immediate action required
Basically, hackers found a way to sneak harmful code into Flowise software.
What Happened Threat actors have discovered a critical flaw in the Flowise low-code platform, which is used for building custom large language models (LLMs) and agentic systems. This flaw allows attackers to inject arbitrary JavaScript code into the platform due to a design oversight in the Custom MCP node. This node is intended to connect an application’s AI agent
What Happened
Threat actors have discovered a critical flaw in the Flowise low-code platform, which is used for building custom large language models (LLMs) and agentic systems. This flaw allows attackers to inject arbitrary JavaScript code into the platform due to a design oversight in the Custom MCP node. This node is intended to connect an application’s AI agent to external tools via MCP servers.
The Flaw
The vulnerability, tracked as CVE-2025-59528, is rated at a maximum severity level of CVSS 10.0. It stems from improper validation of user-provided configurations for the MCP node, enabling attackers to execute arbitrary JavaScript without any security checks. This flaw was first disclosed in September 2025, and the latest version of Flowise, 3.1.1, includes a patch. However, many instances remain unpatched.
Who's Affected
According to a recent alert from VulnCheck, approximately 12,000 to 15,000 Flowise instances are exposed on the public internet. The first exploitation attempts were detected on April 6, 2026, indicating that hackers are actively targeting these vulnerable systems.
Signs of Exploitation
The exploitation of this flaw allows attackers to run JavaScript with full Node.js runtime privileges, which can lead to severe security breaches. The Custom MCP node parses user-supplied configurations and executes them directly, which is where the vulnerability lies. This lack of validation means that malicious actors can gain access to sensitive modules and execute harmful commands.
How to Protect Yourself
To mitigate the risks associated with this vulnerability, users of Flowise should:
- Update to the latest version (3.1.1 or higher) immediately.
- Review configurations in the Custom MCP node for any unvalidated inputs.
- Monitor for any unusual activity on their Flowise instances.
Conclusion
The discovery of this flaw highlights the importance of thorough validation in software design, especially in platforms that facilitate AI workflows. As cyber threats evolve, maintaining robust security measures is essential to protect sensitive data and systems from exploitation.
🔒 Pro insight: Analysis pending for this article.