GHSA-X7RP-QJ2H-GHGW

Vulnerability from github – Published: 2025-11-14 20:50 – Updated: 2025-11-14 20:50
VLAI
Summary
Flowise Fails to Invalidate Existing Sessions After Password Changes
Details

Summary

Failure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure).

Details

After a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who already has an active session (e.g., via a stolen session token, device left logged in, or other access) continues to be authenticated even after the legitimate user rotates credentials, allowing the attacker to retain access despite the user’s password change.

PoC

Repro steps: 1. As logged in user on two browsers (ie. Chrome and Firefox, with incognito/private mode) https://cloud.flowiseai.com/account change password, on the Chrome for example 2. Refresh the site on Firefox (second browser) - notice that still logged in (despite credentials were changed)

POC: Steps described above (in Repro steps) completed successfully.

Impact

Persistent unauthorized access despite credential rotation - undermines the primary purpose of password changes as a remediation step. Enables attackers with an active session (remote or physical access to a device) to continue acting as the user (confidentiality and integrity impact). If session tokens are not bound to the credential state, forced password changes won’t terminate attacker sessions.

Resources OWASP Session Management Cheat Sheet CWE-613: Insufficient Session Expiration

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T20:50:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nFailure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure).\n\n### Details\nAfter a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who already has an active session (e.g., via a stolen session token, device left logged in, or other access) continues to be authenticated even after the legitimate user rotates credentials, allowing the attacker to retain access despite the user\u2019s password change.\n\n### PoC\n**Repro steps:**\n1. As logged in user on two browsers (ie. Chrome and Firefox, with incognito/private mode) https://cloud.flowiseai.com/account change password, on the Chrome for example\n2. Refresh the site on Firefox (second browser) - notice that still logged in (despite credentials were changed)\n\n**POC:**\nSteps described above (in Repro steps) completed successfully.\n\n### Impact\nPersistent unauthorized access despite credential rotation - undermines the primary purpose of password changes as a remediation step.\nEnables attackers with an active session (remote or physical access to a device) to continue acting as the user (confidentiality and integrity impact).\nIf session tokens are not bound to the credential state, forced password changes won\u2019t terminate attacker sessions.\n\n**Resources**\nOWASP Session Management Cheat Sheet\nCWE-613: Insufficient Session Expiration",
  "id": "GHSA-x7rp-qj2h-ghgw",
  "modified": "2025-11-14T20:50:36Z",
  "published": "2025-11-14T20:50:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x7rp-qj2h-ghgw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/pull/5294"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise Fails to Invalidate Existing Sessions After Password Changes"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…