What Happened
Between late January and early February 2025, security researchers at VulnCheck detected active exploitation of CVE-2025-59528, a JavaScript injection vulnerability in Flowise, a low-code platform for building AI workflows. This flaw, with a CVSS score of 10.0, allows attackers to inject arbitrary JavaScript into AI agent workflows without authentication. Flowise released a patch in version 3.0.6 (current version: 3.1.1), yet approximately 12,000 to 15,000 publicly exposed instances remain unpatched and vulnerable.
Timeline
Pre-January 2025: CVE-2025-59528 exists in Flowise, allowing unauthenticated JavaScript injection into AI workflows.
Version 3.0.6 Release: Flowise patches the critical flaw. The fix becomes publicly available.
Late January - Early February 2025: VulnCheck observes active exploitation attempts against vulnerable Flowise instances. VP of Security Research Caitlin Condon confirms ongoing attacks.
Current State: Despite the patch availability and version 3.1.1 being the latest release, thousands of exposed instances continue running vulnerable versions.
Which Controls Failed or Were Missing
Vulnerability Management Process: Organizations running Flowise lack a systematic process for tracking security advisories and applying patches. The gap between patch availability (3.0.6) and current version (3.1.1) suggests some teams aren't monitoring release notes.
Asset Inventory: Many organizations don't know which systems are running Flowise or where these instances are deployed. You can't patch what you don't know exists.
Network Segmentation: The exposure of 12,000-15,000 instances to the public internet indicates missing network controls. AI workflow platforms should be behind VPNs or zero-trust access controls, not facing the internet directly.
Change Management: Even with patch availability, organizations lack the change control processes to test and deploy updates within a reasonable window for critical vulnerabilities.
Security Testing of Dependencies: Teams adopted Flowise without evaluating its security posture or building contingency plans for when vulnerabilities emerge in the platform itself.
What the Relevant Standards Require
PCI DSS v4.0.1 Requirement 6.3.1 mandates that security vulnerabilities are identified using reputable sources and addressed based on risk. For a CVSS 10.0 vulnerability with active exploitation, "based on risk" means immediate action.
PCI DSS v4.0.1 Requirement 6.3.3 requires critical security patches to be installed within one month of release. We're past that window for many of these instances.
NIST CSF v2.0 function Identify (ID.RA-01) requires organizations to identify and document asset vulnerabilities. If you're running Flowise but don't have it in your asset inventory, you're failing this basic control.
ISO/IEC 27001:2022 Control 8.8 requires organizations to obtain timely information about technical vulnerabilities, evaluate exposure, and take appropriate measures. The continued exposure of thousands of instances suggests systematic failure here.
SOC 2 Type II Common Criteria CC7.1 requires organizations to identify, report, and act upon system changes and security incidents. A CVSS 10.0 vulnerability in a production system qualifies as both.
OWASP ASVS v4.0.3 Section 14.2 requires that all components are up to date and that a process exists for monitoring security vulnerabilities. Low-code platforms are dependencies—they count.
Lessons and Action Items for Your Team
Build an AI Platform Inventory Now: Create a list of every AI development tool, API gateway, and low-code platform your teams use. Include version numbers, deployment locations, and data access levels. Update this monthly. If you discover Flowise instances during this audit, upgrade them to version 3.1.1 immediately.
Treat Low-Code Platforms as High-Risk Dependencies: The ease of deployment that makes low-code platforms attractive also means they proliferate without oversight. Add these tools to your vulnerability management program with the same rigor you apply to databases and web servers.
Define Patch SLAs by CVSS Score: Create a written policy: CVSS 9.0-10.0 with known exploitation = 72-hour patch window. CVSS 7.0-8.9 = two weeks. CVSS 4.0-6.9 = 30 days. Lower scores follow your standard quarterly cycle. Get executive sign-off so you have authority to push emergency changes.
Remove Unnecessary Internet Exposure: Audit which systems truly need public internet access. AI workflow platforms rarely do. Put them behind a VPN, implement zero-trust access, or at minimum, restrict access to known IP ranges. This won't fix the vulnerability, but it reduces your attack surface while you patch.
Subscribe to Security Advisories for Your Stack: For each tool in your AI platform inventory, find and subscribe to its security mailing list or RSS feed. Assign someone to review these weekly. For critical tools like Flowise, check GitHub releases and security tabs directly—don't wait for an email.
Test Patches in Non-Production First: Even for critical vulnerabilities, deploy to a staging environment first. Give yourself a 24-hour window to verify the patch doesn't break your workflows, then push to production. For a CVSS 10.0 with active exploitation, this entire cycle should complete within 72 hours.
Document Your AI Workflow Dependencies: Map which business processes depend on which AI platforms. When a vulnerability emerges, you'll know immediately whether it affects your payment processing, customer service, or internal tools—and you can prioritize accordingly.
Implement Automated Vulnerability Scanning: Tools like Dependabot, Snyk, or your existing vulnerability scanner should monitor your AI platforms. Configure alerts for CVSS scores above 7.0 to route directly to your security team's incident queue.
The Flowise incident demonstrates a gap between AI adoption speed and security program maturity. Your compliance framework already requires the controls that would have prevented this exposure—vulnerability management, asset inventory, patch management. The question is whether you're applying those controls to your AI infrastructure with the same discipline you apply to your traditional stack.
