cnvd - cnvd-2025-21415

CNVD-2025-21415

Vulnerability from cnvd - Published: 2025-09-17

Title

Flowise访问控制错误漏洞

Description

Flowise是FlowiseAI开源的一个用于轻松构建LLM应用程序的工具。 Flowise 3.0.5及之前版本存在访问控制错误漏洞，该漏洞源于forgot-password端点未经验证返回密码重置令牌，攻击者可利用该漏洞导致账户接管。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-58434

Impacted products

Name
Flowise Flowise <=3.0.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-58434",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-58434"
    }
  },
  "description": "Flowise\u662fFlowiseAI\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8e\u8f7b\u677e\u6784\u5efaLLM\u5e94\u7528\u7a0b\u5e8f\u7684\u5de5\u5177\u3002\n\nFlowise 3.0.5\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eforgot-password\u7aef\u70b9\u672a\u7ecf\u9a8c\u8bc1\u8fd4\u56de\u5bc6\u7801\u91cd\u7f6e\u4ee4\u724c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8d26\u6237\u63a5\u7ba1\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-21415",
  "openTime": "2025-09-17",
  "products": {
    "product": "Flowise Flowise \u003c=3.0.5"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-58434",
  "serverity": "\u9ad8",
  "submitTime": "2025-09-16",
  "title": "Flowise\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2025-58434 (GCVE-0-2025-58434)

Vulnerability from cvelistv5 – Published: 2025-09-12 17:37 – Updated: 2025-09-15 15:31

Summary

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

URL

Tags

	https://github.com/FlowiseAI/Flowise/security/adv…	x_refsource_CONFIRM
	https://github.com/FlowiseAI/Flowise/commit/9e178…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	FlowiseAI	Flowise	Affected: <= 3.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58434",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-12T18:10:37.792799Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-12T18:11:08.352Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Flowise",
          "vendor": "FlowiseAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 3.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-15T15:31:08.595Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph"
        },
        {
          "name": "https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863"
        }
      ],
      "source": {
        "advisory": "GHSA-wgpv-6j63-x5ph",
        "discovery": "UNKNOWN"
      },
      "title": "Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58434",
    "datePublished": "2025-09-12T17:37:08.190Z",
    "dateReserved": "2025-09-01T20:03:06.531Z",
    "dateUpdated": "2025-09-15T15:31:08.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-21415

CVE-2025-58434 (GCVE-0-2025-58434)

Tags

Sightings

Nomenclature