What's Happening?
A critical vulnerability has been identified in FlowiseAI's platform, allowing attackers to bypass authentication and take over user accounts. The flaw, tracked as CVE-2025-58434, affects both cloud and self-hosted deployments. It stems from a design flaw in the /api/v1/account/forgot-password endpoint, which returns sensitive authentication tokens without proper verification. Attackers can exploit this by submitting a password reset request, receiving user details including tempToken and tokenExpiry timestamp, and bypassing email-based verification. This vulnerability allows attackers to change user credentials with minimal effort, posing a significant security risk.
Why It's Important?
The vulnerability poses a severe threat to organizations using FlowiseAI, as it allows for complete account takeovers. With a CVSS score of 9.8, the flaw is classified as critical, indicating high potential for exploitation. This could lead to unauthorized access to sensitive data, impacting confidentiality, integrity, and availability. Organizations must address this flaw to protect user credentials and prevent data breaches. The incident highlights the importance of robust security measures and verification processes in API design to safeguard against such vulnerabilities.
What's Next?
FlowiseAI and administrators are advised to implement immediate measures to mitigate the risk. These include ensuring the endpoint does not disclose sensitive tokens, enforcing email-based delivery of reset tokens, and adding validation checks. A thorough code review and rate limiting on endpoints are recommended. Until a patch is released, placing the application behind a Web Application Firewall and restricting API access are suggested. These steps aim to prevent automated exploitation and preserve user credential integrity.
