Flowise Under Siege: 15,000 AI Servers at Risk from Deadly Code Injection Flaw

When an open-source tool powers the next wave of artificial intelligence, its weaknesses become everyone’s problem. That’s the harsh reality facing thousands of organizations this week as Flowise, a popular platform for building AI solutions, finds itself at the epicenter of a global security crisis. A newly discovered flaw - so severe it earned the highest risk rating - has left over 15,000 Flowise servers wide open to attackers, who are already moving in.

The Anatomy of a Breach

The vulnerability at the heart of this crisis lies within Flowise’s “CustomMCP node,” a feature designed to help users connect to external servers by entering configuration details. But rather than treating this input as harmless text, Flowise’s code evaluates it as executable JavaScript - without any safety checks. This design oversight hands attackers a direct line to the system’s core.

By sending a specially crafted network request to a vulnerable Flowise API endpoint, a remote attacker can slip malicious code past all defenses. The server, running with full privileges, executes this code in the background - granting the intruder unfettered access. Security researchers demonstrated that a single web request could let an attacker run arbitrary shell commands, create unauthorized files, and ultimately seize control.

Active Exploitation: The Threat Is Real

The cybersecurity firm VulnCheck has confirmed that attackers are already targeting this flaw. The first documented attacks originated from a Starlink IP address, signaling that cybercriminals are wasting no time. With over 15,000 unpatched servers visible online, the window for defense is rapidly closing.

The potential fallout is dire: full host compromise, silent data exfiltration, and the ability to execute any system-level command. For organizations using Flowise - often to power sensitive AI workloads - this could mean catastrophic data loss or even business disruption. Notably, this isn’t the first time Flowise has been in the crosshairs; earlier vulnerabilities have also seen real-world exploitation.

Patch or Perish

Flowise maintainers have released version 3.0.6, closing the door on this vulnerability for those who act swiftly. Security teams are urged to update immediately. Leaving older versions exposed is an open invitation to attackers, as active scanning and exploitation continue to surge.

Conclusion

The Flowise crisis is a stark reminder: even the most innovative platforms can become liabilities overnight if security is neglected. As the world races to adopt AI, the need for vigilance - and rapid response - has never been more urgent.

WIKICROOK

• Code Injection: Code injection is an attack where hackers insert malicious code into a program, letting them control or compromise the targeted system.
• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• API Endpoint: An API endpoint is a specific web address where software systems exchange data, acting as a secure digital service window for requests and responses.
• CVSS Score: A CVSS Score rates the severity of security vulnerabilities from 0 to 10, with higher numbers indicating greater risk and urgency for response.
• Patch: A patch is a software update released to fix security vulnerabilities or bugs in programs, helping protect devices from cyber threats and improve stability.