A critical vulnerability affecting FlowiseAI’s Flowise platform has been disclosed, revealing a severe authentication bypass flaw that allows attackers to perform complete account takeovers with minimal effort.
The vulnerability tracked as CVE-2025-58434 impacts both cloud deployments at cloud.flowiseai.com and self-hosted installations, making it a widespread security concern for organizations using this AI agent-building platform.
Key Takeaways
1. Critical flaw in FlowiseAI exposes password reset tokens.
2. Affects both cloud and self-hosted deployments.
3. Deploy WAF protection and restrict API access until official patches become available.
Password Reset Token Vulnerability
The vulnerability stems from a fundamental design flaw in the /api/v1/account/forgot-password endpoint, which inappropriately returns sensitive authentication tokens in API responses without proper verification.
When an attacker submits a password reset request, the endpoint responds with complete user details, including the victim’s tempToken and tokenExpiry timestamp, effectively bypassing the intended email-based verification process.
The exploitation process requires only knowledge of the target’s email address. Attackers can execute a simple POST request to the vulnerable endpoint using curl commands: curl -i -X POST https://
The server responds with a 201 Created status, exposing the complete user object containing the tempToken required for password reset operations.
Once obtained, the exposed tempToken can be immediately reused against the /api/v1/account/reset-password endpoint to change the victim’s credentials without any additional verification.
This second-stage attack utilizes another POST request containing the victim’s email, the intercepted tempToken, and the attacker’s chosen password.
The server processes this request with a 200 OK response, completing the account takeover process.
The vulnerability carries a CVSS 3.1 Base Score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-accessible exploitation requiring no authentication, low attack complexity, and resulting in high impact across confidentiality, integrity, and availability.
This classification reflects the vulnerability’s potential for widespread automated exploitation against both cloud and on-premises deployments.
The vulnerability was reported by security researchers Zaddy6 and Arthurgervais.
| Risk Factors | Details |
| Affected Products | FlowiseAI Flowise < 3.0.5, Flowise Cloud (cloud.flowiseai.com), Self-hosted/Local Deployments |
| Impact | Complete Account Takeover (ATO) |
| Exploit Prerequisites | Target email address, Network access to /api/v1/account/forgot-password endpoint, No authentication required |
| CVSS 3.1 Score | 9.8 (Critical) |
Mitigation
To address this critical flaw, FlowiseAI and self-hosted administrators should implement the following measures immediately:
Ensure that the /api/v1/account/forgot-password endpoint never discloses tempToken or any sensitive account details in its HTTP response.
Instead, return a generic success message such as {“message”:”If the email exists, you will receive reset instructions.”} regardless of whether the email is registered.
Enforce delivery of password reset tokens exclusively via the user’s verified email address. The API should generate a one-time tempToken, store it securely server-side, and invalidate it upon first use or after a short expiration period.
Add validation to the /api/v1/account/reset-password endpoint by checking that the tempToken matches the last generated token for the given email, hasn’t been used, and originates from the same client/IP that requested it.
Logging each password reset request along with associated IP addresses and timestamps will aid in detecting anomalous patterns.
Conduct a thorough code review of both cloud and self-hosted deployment branches to confirm that no residual debug endpoints expose sensitive data.
Implement strict rate limiting on both password reset endpoints to thwart automated enumeration or brute-force attempts. Plan a patch release for version 3.0.5 that automates all the above fixes and communicates clear upgrade instructions.
Until the patch is available, administrators should consider placing the application behind a Web Application Firewall (WAF) and restricting access to the API endpoints to known networks or authenticated channels only.
By eliminating direct token exposure and enforcing robust verification and monitoring practices, organizations can mitigate the risk of account takeover and preserve the integrity of user credentials.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
