""As only an API token is required, this poses an extreme security risk to business continuity and customer data," Flowise notes in its advisory."
""This is a critical-severity bug in a popular AI platform used by a number of large corporations. This specific vulnerability has been public for more than six months, which means defenders have had time to prioritize and patch the vulnerability," said VulnCheck VP of security research Caitlin Condon."
""The internet-facing attack surface area of 12,000+ exposed instances makes it crucial for organizations to assess their security posture and apply necessary updates promptly.""
Flowise has a critical vulnerability, CVE-2025-59528, allowing remote code execution due to unvalidated user-supplied JavaScript code. This flaw affects versions up to 3.0.5 and was patched in 3.0.6. Attackers can exploit this vulnerability with just an API token, risking business continuity and data security. VulnCheck has reported in-the-wild exploitation attempts, indicating a growing interest in vulnerable Flowise deployments. There are between 12,000 and 15,000 publicly accessible Flowise instances, but the number running vulnerable versions is unknown.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]