CVE-2025-58434: 
Flowise 脆弱性の分析と軽減

CVE-2025-58434 affects Flowise, a drag & drop user interface for building customized large language model flows. The vulnerability was discovered in version 3.0.5 and earlier, where the forgot-password endpoint returns sensitive information including valid password reset tokens without authentication or verification. This critical vulnerability was disclosed on September 12, 2025, affecting both cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments (GitHub Advisory).

The vulnerability exists in the /api/v1/account/forgot-password endpoint which accepts an email address as input. Instead of only sending a reset email, the API responds with sensitive user details including User ID, name, email, hashed credential, status, timestamps, and most critically, a valid tempToken and its expiry intended for password reset. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitability with no required privileges or user interaction (GitHub Advisory).

The vulnerability enables any unauthenticated attacker to generate a reset token for arbitrary users and directly reset their passwords, leading to complete account takeover (ATO). Since the vulnerability affects both cloud and self-hosted deployments, any exposed instance is vulnerable. Attackers can compromise any account, including administrator or high-value accounts, with only knowledge of the target's email address. This can result in full account takeover, data exposure, impersonation, and possible control over organizational assets (GitHub Advisory).

A fix has been implemented in commit 9e178d68873eb876073846433a596590d3d9c863. Recommended remediation steps include: not returning reset tokens or sensitive account details in API responses, delivering tokens only via registered email channel, ensuring forgot-password responds with generic success messages, requiring strong validation of the tempToken, applying fixes to both cloud and self-hosted deployments, logging and monitoring password reset requests, and considering multi-factor verification for sensitive accounts (GitHub Advisory, GitHub Commit).