Threat actors have found a way to inject arbitrary JavaScript into the Flowise low-code platform for building custom LLM and agentic systems.
The code injection was possible due to a design oversight, rated at max-severity, in the platform’s custom MCP node, which acts as a plug-in connector for an application’s AI agent to talk to external tools via MCP servers.
According to a recent VulnCheck alert, hackers have already started exploiting the flaw to insert malicious JavaScript code, with analysis showing close to 15000 Flowise instances exposed on the public internet.
The flaw was patched in the AI development platform’s version 3.0.6, the latest rollout being v 3.1.1, released last month.
Improper validation of MCP configurations
Flowise is a drag-and-drop service to build a customized large language model (LLM) flow. It allows users to drag the Custom MCP node into their workflows and paste necessary configurations (JSON) to point to an external MCP server.
The Custom MCP node that lets the application connect to any external MCP server using user-supplied configurations is where the problem lies. In version 3.0.5, these configurations are not properly validated against malicious code, allowing remote code execution.
“This node parses the user-provided mcpServerConfig string to build the MCP server configuration,” reads an NVD description of the flaw. “However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code.”
As the named function runs with full Node.js runtime privileges, “it can access dangerous modules such as child_process and fs,” the description adds.
The flaw is tracked under CVE-2025-59528, and was assigned a critical rating of CVSS 10.0 at the time of disclosure in September, 2025. The flaw was categorized under “Improper Control of Generation of Code (code Injection).”
Hackers exploit unpatched instances
While a patch has been available for months, a recent VulnCheck finding places the first in-the-wild exploitation on April 6. Caitlin Condon, VP of Security Research at the vulnerability intelligence company, warned of the abuse through a LinkedIn post.
“Early this morning, VulnCheck’s Canary network began detecting first-time exploitation of CVE-2025-59528, an arbitrary JavaScript code injection vulnerability in Flowise,” she wrote. “Observed activity so far originates from a single Starlink IP.” Around 12000 to 15000 instances remained exposed at the time, she noted in her post, although it is unclear how many of them were running a vulnerable Flowise version.
Condon added two more critical Flowise vulnerabilities, a missing authentication (CVE-2025-8943) and an arbitrary file upload (CVE-2025-26319), in the post that she said were also flagged against active exploitation by the Canary network. Exclusive exploitation details, including full payload and request data, were promised to the Canary Intelligence customers. Additionally, an exploit, PCAP, YARA rule, network signatures, and target Docker container have been available to its Initial Access Intelligence customers.
No Responses