Overview
- VulnCheck, which reported Tuesday that first in-the-wild attacks were detected, saw traffic from a single Starlink IP targeting Flowise servers.
- The flaw sits in the CustomMCP component, which evaluates user-supplied JavaScript and grants full Node.js privileges including child_process and fs.
- Flowise warns that only an API token is needed to run attacker code, raising the risk of server takeover and data theft for teams running chatbots and agent workflows.
- The bug affected versions up to 3.0.5 and was fixed in 3.0.6 in September 2025, with experts urging upgrades to the current 3.1.1 release and removal of public access where not needed.
- VulnCheck estimates 12,000 to 15,000 internet-facing deployments, and this is the third Flowise issue seen exploited after earlier remote command execution and arbitrary file upload flaws.