CVE-2025-58434
📋 TL;DR
This vulnerability in Flowise allows unauthenticated attackers to generate password reset tokens for any user account, leading to complete account takeover. It affects both cloud-hosted and self-hosted deployments of Flowise version 3.0.5 and earlier. Attackers can directly reset passwords without any authentication or verification.
💻 Affected Systems
- Flowise
📦 What is this software?
Flowise by Flowiseai
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts, including administrative accounts, leading to full system control, data theft, and potential lateral movement in connected systems.
Likely Case
Account takeover of regular users leading to unauthorized access to sensitive LLM flows, data exfiltration, and potential privilege escalation.
If Mitigated
Failed password reset attempts logged for investigation, with no successful account takeovers due to proper token validation and secure delivery mechanisms.
🎯 Exploit Status
Simple HTTP request to forgot-password endpoint with any email address returns sensitive reset token without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.6
Vendor Advisory: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph
Restart Required: Yes
Instructions:
1. Update Flowise to version 3.0.6 or later. 2. Apply commit 9e178d68873eb876073846433a596590d3d9c863. 3. Restart the Flowise service.
🔧 Temporary Workarounds
Disable forgot-password endpoint
allTemporarily disable the vulnerable forgot-password API endpoint until patching is possible
Modify API routing to block /api/v1/auth/forgot-password endpoint
Network-level blocking
allBlock access to the forgot-password endpoint at firewall/load balancer level
Add rule to block requests to */forgot-password
🧯 If You Can't Patch
- Implement WAF rules to block requests containing sensitive token responses from forgot-password endpoint
- Enable detailed logging and monitoring of all password reset attempts with alerting for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Send POST request to /api/v1/auth/forgot-password with any email address. If response contains tempToken or sensitive account details, system is vulnerable.Check Version:
Check package.json for version or run: npm list flowiseVerify Fix Applied:
After update, same request should return only generic success message without any tokens or sensitive information.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts from single IP
- Password reset requests for non-existent users
- Unusual patterns in auth logs
Network Indicators:
- HTTP POST requests to /forgot-password endpoint followed by immediate password reset attempts
- Unusual traffic spikes to authentication endpoints
SIEM Query:
source="flowise" AND (uri_path="/api/v1/auth/forgot-password" OR event="password_reset") | stats count by src_ip, user