What Happened
A critical remote code execution vulnerability in Flowise AI—an open-source platform for building AI agents—is being actively exploited. CVE-2025-59528 carries a CVSS score of 10.0, the highest severity rating, due to improper validation of JavaScript code execution. Security researcher Kim SooHyun discovered and reported the flaw. VulnCheck's research confirms active exploitation targeting over 12,000 internet-facing Flowise instances.
The vulnerability allows attackers to execute arbitrary commands on affected systems without authentication. Once exploited, attackers can run malicious code, exfiltrate sensitive data, and potentially access other systems in the environment.
Timeline
Initial Discovery: Kim SooHyun identified the improper JavaScript validation flaw and reported it to Flowise maintainers.
Patch Release: Flowise released a security update addressing CVE-2025-59528.
Active Exploitation Detected: VulnCheck observed exploitation attempts originating from a single Starlink IP address, indicating coordinated attack activity.
Current State: Over 12,000 vulnerable instances remain exposed to the internet, representing organizations that have not yet applied the available patch.
Which Controls Failed or Were Missing
The Flowise incident reveals multiple control failures:
Lack of Input Validation: The platform failed to properly validate JavaScript code before execution, the root cause of CVE-2025-59528. This represents a fundamental secure coding failure.
Absence of Network Segmentation: Organizations running Flowise exposed these instances directly to the internet without intermediate security controls or access restrictions.
Missing Vulnerability Management Process: The gap between patch availability and deployment across 12,000+ instances indicates organizations lack systematic processes for identifying, prioritizing, and remediating vulnerabilities in their AI infrastructure.
No Runtime Application Self-Protection: Affected instances operated without runtime monitoring or behavioral controls that could detect and block malicious code execution attempts.
Insufficient Asset Inventory: Many organizations appear unaware they're running vulnerable Flowise instances, suggesting incomplete asset discovery and tracking processes.
What the Relevant Standards Require
PCI DSS v4.0.1 Requirement 6.3.2 mandates that custom software be developed securely according to industry standards. Input validation failures like the one in CVE-2025-59528 directly violate this requirement. Organizations processing payment data through AI platforms must ensure proper validation of all user-supplied input.
OWASP Top 10 2021: A03:2021 – Injection identifies injection flaws as a critical web application risk. The Flowise vulnerability represents a classic injection scenario where unvalidated code reaches an interpreter.
NIST 800-53 Rev 5 SI-2 (Flaw Remediation) requires organizations to identify, report, and correct system flaws, test software updates for effectiveness, and install security-relevant updates within organization-defined time periods. The 12,000+ unpatched instances demonstrate widespread SI-2 non-compliance.
ISO/IEC 27001:2022 Annex A.8.8 (Management of Technical Vulnerabilities) requires organizations to obtain timely information about technical vulnerabilities, evaluate exposure, and take appropriate measures. A CVSS 10.0 vulnerability with active exploitation demands immediate action under this control.
SOC 2 Type II CC7.1 addresses system monitoring, including the detection of security incidents. Organizations claiming SOC 2 compliance must demonstrate they can detect and respond to active exploitation attempts like those targeting Flowise instances.
Lessons and Action Items for Your Team
Immediate Actions:
Inventory Your AI Infrastructure: Create a complete list of all AI platforms, agents, and tools running in your environment. Include version numbers and internet exposure status. If you're running Flowise, patch immediately or take instances offline until you can patch.
Implement Emergency Patching Procedures: Define criteria for emergency patches (CVSS 9.0+, active exploitation, affects internet-facing systems) and establish a process to deploy them within 24-48 hours. Document who has authority to approve emergency changes.
Review Network Exposure: Map which AI platforms have direct internet access. Place them behind VPNs, zero-trust network access controls, or at minimum, restrict access to known IP ranges.
Strategic Improvements:
Establish AI-Specific Vulnerability Tracking: Subscribe to security advisories for every AI platform and library you use. Open-source AI tools often lack the vendor notification systems present in commercial software. Set up monitoring for CVE databases filtered to your technology stack.
Implement Runtime Monitoring: Deploy application security monitoring that can detect unusual code execution patterns, unexpected network connections, or data exfiltration attempts. For containerized AI workloads, use runtime security tools that can enforce behavioral policies.
Create an Open-Source Risk Framework: Define criteria for vetting open-source AI platforms before deployment: community size, security track record, update frequency, and vulnerability disclosure process. Require security reviews before introducing new open-source AI components.
Test Your Incident Response: Run a tabletop exercise simulating a critical vulnerability in your AI infrastructure. Can your team identify all affected instances within one hour? Can you patch or isolate them within four hours? Document the gaps you discover.
Compliance Alignment:
Map AI Assets to Compliance Scope: Identify which AI systems process regulated data (payment information, PHI, PII). These require stricter vulnerability management timelines and more rigorous testing before deployment.
Update Your Risk Register: Add "Critical vulnerability in AI platform" as a scenario. Document potential business impact, affected data types, and required response procedures. Review quarterly as your AI footprint grows.
The Flowise incident demonstrates that AI platforms face the same fundamental security challenges as traditional applications—but often with less mature security practices around them. Your vulnerability management process must cover AI infrastructure with the same rigor you apply to databases, web servers, and API gateways. A CVSS 10.0 vulnerability isn't theoretical when 12,000 instances sit exposed to active exploitation.
