一、 漏洞 CVE-2025-58434 基础信息
漏洞信息
                                        # Flowise 未认证密码重置令牌泄露漏洞

N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源:美国国家漏洞数据库 NVD
漏洞类别
关键功能的认证机制缺失
来源:美国国家漏洞数据库 NVD
漏洞标题
Flowise 访问控制错误漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 3.0.5及之前版本存在访问控制错误漏洞,该漏洞源于forgot-password端点未经验证返回密码重置令牌,可能导致账户接管。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
授权问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-58434 的公开POC
# POC 描述 源链接 神龙链接
1 Flowise versions 3.0.5 and earlier had a vulnerability in the forgot-password endpoint, which returned valid reset tokens without authentication—allowing attackers to reset passwords and take over accounts. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-58434.yaml POC详情
2 None https://github.com/nltt-br/CVE-2025-58434-CVE-2025-59528-chain- POC详情
三、漏洞 CVE-2025-58434 的情报信息

  • 标题: Critical: Unauthenticated Password Reset Token Disclosure Leading to Account Takeover in Flowise Cloud and Local Deployments · Advisory · FlowiseAI/Flowise · GitHub -- 🔗来源链接

    标签: x_refsource_CONFIRM

    神龙速读
    Critical: Unauthenticated Password Reset Token Disclosure Leading to Account Takeover in Flowise Cloud and Local Deployments · Advisory · FlowiseAI/Flowise · GitHub

  • 标题: Secure password reset endpoints (#5167) · FlowiseAI/Flowise@9e178d6 · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    神龙速读
    Secure password reset endpoints (#5167) · FlowiseAI/Flowise@9e178d6 · GitHub
  • https://nvd.nist.gov/vuln/detail/CVE-2025-58434
四、漏洞 CVE-2025-58434 的评论

暂无评论

发表评论