If you're running Flowise to build AI agents, there's an active exploit targeting the platform right now — and it scores a 10 out of 10 on the severity scale. That's the maximum possible rating. One crafted request, and an attacker has full access to your server.

The vulnerability is CVE-2025-59528. It lives in the CustomMCP node — the component that connects your Flowise agents to external MCP servers and tools.

The flaw itself isn't new. It was disclosed in September 2025 and patched in Flowise version 3.0.6. What changed this week is that active exploitation began, detected by VulnCheck via their Canary network. Exploitation attempts have been traced to a single Starlink IP address — opportunistic scanning of exposed instances.

The technical root cause: the CustomMCP node takes user-provided configuration input and evaluates it as JavaScript without any security validation. Because Flowise runs with full Node.js runtime privileges, successful exploitation gives attackers access to child_process (command execution) and fs (file system). Full server takeover. And exploitation requires only an API token — no authentication bypass, no complex exploit chain.

Between 12,000 and 15,000 Flowise instances are currently exposed on the public internet, per VulnCheck. This is the third Flowise vulnerability with confirmed in-the-wild exploitation.

The Flowise exploit is part of a broader pattern that's worth naming: MCP is now an active attack surface. The protocol's design assumes trust in the configuration input connecting agents to external servers — and that assumption is being exploited. As MCP adoption has scaled to 97 million installs, the security model underneath hasn't kept pace. There's no standard permission manifest, no sandboxing at the protocol layer, no equivalent of app permissions on install. Every MCP server connection is full trust by default.

Two things, in order of urgency. First: if you're running Flowise, update to version 3.1.1 immediately. If your instance is public-facing and doesn't need to be, take it off the internet. Second: audit your MCP connections across your agent stack generally. Every server you've connected adds context overhead on every message — and as of this week, also adds confirmed attack surface. Cut the ones you're not actively using.

Trish @ StackDrift

Drift Intel tracks security changes across the AI developer tooling ecosystem. Subscribe here for weekly roundups.