{"id":7746,"date":"2026-04-08T12:24:30","date_gmt":"2026-04-08T12:24:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7746"},"modified":"2026-04-08T12:24:30","modified_gmt":"2026-04-08T12:24:30","slug":"hackers-exploit-a-critical-flowise-flaw-affecting-thousands-of-ai-workflows","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7746","title":{"rendered":"Hackers exploit a critical Flowise flaw affecting thousands of AI workflows"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Threat actors have found a way to inject arbitrary JavaScript into the Flowise low-code platform for building custom LLM and agentic systems.<\/p>\n

The code injection was possible due to a design oversight, rated at max-severity, in the platform\u2019s custom MCP node, which acts as a plug-in connector for an application\u2019s AI agent to talk to external tools via MCP servers.<\/p>\n

According to a recent VulnCheck alert, hackers have already started exploiting the flaw to insert malicious JavaScript code, with analysis showing close to 15000 Flowise instances exposed on the public internet.<\/p>\n

The flaw was patched in the AI development platform\u2019s version 3.0.6, the latest rollout being v 3.1.1, released<\/a> last month.<\/p>\n

<\/a>Improper validation of MCP configurations<\/h2>\n

Flowise is a drag-and-drop service to build a customized large language model (LLM) flow. It allows users to drag the Custom MCP node into their workflows and paste necessary configurations (JSON) to point to an external MCP server<\/a>.<\/p>\n

The Custom MCP node that lets the application connect to any external MCP server using user-supplied configurations is where the problem lies. In version 3.0.5, these configurations are not properly validated against malicious code, allowing remote code execution.<\/p>\n

\u201cThis node parses the user-provided mcpServerConfig string to build the MCP server configuration,\u201d reads an NVD description<\/a> of the flaw. \u201cHowever, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code.\u201d<\/p>\n

As the named function runs with full Node.js runtime privileges, \u201cit can access dangerous modules such as child_process and fs,\u201d the description adds.<\/p>\n

The flaw is tracked under CVE-2025-59528<\/a>, and was assigned a critical rating of CVSS 10.0 at the time of disclosure in September, 2025. The flaw was categorized under \u201cImproper Control of Generation of Code (code Injection).\u201d<\/p>\n

<\/a>Hackers exploit unpatched instances<\/h2>\n

While a patch has been available for months, a recent VulnCheck finding places the first in-the-wild exploitation on April 6. Caitlin Condon, VP of Security Research at the vulnerability intelligence company, warned of the abuse through a LinkedIn post<\/a>.<\/p>\n

\u201cEarly this morning, VulnCheck\u2019s Canary network began detecting first-time exploitation of CVE-2025-59528, an arbitrary JavaScript code injection vulnerability in Flowise,\u201d she wrote. \u201cObserved activity so far originates from a single Starlink IP.\u201d Around 12000 to 15000 instances remained exposed at the time, she noted in her post, although it is unclear how many of them were running a vulnerable Flowise version.<\/p>\n

Condon added two more critical Flowise vulnerabilities, a missing authentication (CVE-2025-8943<\/a>) and an arbitrary file upload (CVE-2025-26319<\/a>), in the post that she said were also flagged against active exploitation by the Canary network. Exclusive exploitation details, including full payload and request data, were promised to the Canary Intelligence customers. Additionally, an exploit, PCAP, YARA rule, network signatures, and target Docker container have been available to its Initial Access Intelligence customers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Threat actors have found a way to inject arbitrary JavaScript into the Flowise low-code platform for building custom LLM and agentic systems. The code injection was possible due to a design oversight, rated at max-severity, in the platform\u2019s custom MCP node, which acts as a plug-in connector for an application\u2019s AI agent to talk to […]<\/p>\n","protected":false},"author":0,"featured_media":7747,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7746","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7746"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7746"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7746\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7747"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}