CVE-2025-58434

Flowise · Flowise

The Flowise drag-and-drop LLM builder contains an information disclosure vulnerability in its forgot-password endpoint, allowing unauthorized access to sensitive data.

Executive summary

A critical information disclosure vulnerability in Flowise version 3.0.5 and earlier exposes sensitive data via the forgot-password endpoint, posing a severe risk to system security.

Vulnerability

This vulnerability involves an improper information disclosure within the forgot-password endpoint. The flaw allows an unauthenticated attacker to retrieve sensitive system information by interacting with this specific API path.

Business impact

The exposure of sensitive information via the authentication recovery process can lead to a complete compromise of user accounts and proprietary LLM flow configurations. Given the high CVSS score of 9.8, the potential for unauthorized data exfiltration and subsequent system takeover is significant, posing a high risk to organizational confidentiality and integrity.

Remediation

Immediate Action: Upgrade to the latest version of Flowise immediately to patch the insecure endpoint.

Proactive Monitoring: Review application access logs for unusual patterns or spikes in requests directed toward the forgot-password endpoint.

Compensating Controls: Implement rate limiting and restrict network access to the administrative and password recovery endpoints via a Web Application Firewall (WAF) or VPN.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this vulnerability necessitates immediate attention. Administrators must prioritize updating the Flowise instance to a version beyond 3.0.5 to mitigate the risk of unauthorized data access.