What is the story about?
What's Happening?
A critical vulnerability has been identified in FlowiseAI's platform, affecting both cloud and self-hosted installations. This flaw, tracked as CVE-2025-58434, allows attackers to bypass authentication and take over accounts with minimal effort. The vulnerability is rooted in the /api/v1/account/forgot-password endpoint, which improperly returns sensitive authentication tokens in API responses without verification. Attackers can exploit this by submitting a password reset request, receiving complete user details including tempToken and tokenExpiry timestamp, and bypassing the email-based verification process. The vulnerability has a CVSS 3.1 Base Score of 9.8, indicating high impact across confidentiality, integrity, and availability.
Why It's Important?
The discovery of this vulnerability is significant as it poses a severe security risk to organizations using FlowiseAI's platform. The ability for attackers to perform account takeovers with ease could lead to unauthorized access to sensitive data, potentially resulting in data breaches and financial losses. Organizations relying on this platform for AI agent-building are at risk, highlighting the need for immediate security measures. The widespread nature of the vulnerability, affecting both cloud and on-premises deployments, underscores the importance of robust security practices and the potential consequences of inadequate protection.
What's Next?
FlowiseAI and administrators of self-hosted deployments are advised to implement immediate security measures to mitigate the risk. These include ensuring the /api/v1/account/forgot-password endpoint does not disclose sensitive details, enforcing password reset token delivery via verified email addresses, and adding validation checks to the reset-password endpoint. Additionally, conducting thorough code reviews, implementing rate limiting, and placing the application behind a Web Application Firewall are recommended. A patch release for version 3.0.5 is planned to automate these fixes and provide upgrade instructions.
AI Generated Content
Do you find this article useful?
