Soumettre #777656: FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)information

TitreFlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)
Description# Technical Details A Bcrypt Password Hash Exposure vulnerability exists in the login() method in packages/server/src/enterprise/services/account.service.ts of FlowiseAI Flowise. The application fails to sanitize user objects before returning them in API responses. The login() function loads the full user entity from the database via readUserByEmail(), validates the password, then returns the entire unsanitized user object — including the bcrypt credential hash, tempToken, and tokenExpiry — directly to the HTTP response. The saveInviteAccount() existing-user branch has the same flaw. Both are incomplete fix variants of PR #5167 which introduced sanitizeUser() but only applied it to forgotPassword(), resetPassword(), and updateUser(). # Vulnerable Code File: packages/server/src/enterprise/services/account.service.ts Method: login() (line 450-505) and saveInviteAccount() (line 376-377) Why: The function returns the raw user entity with the credential hash without calling sanitizeUser() or deleting sensitive fields, unlike the correctly patched functions (updateUser, saveRegisterAccount). # Reproduction 1. Deploy Flowise via Docker: docker run -d --name flowise-test -p 3000:3000 flowiseai/flowise:latest 2. Create an account and authenticate via POST /api/v1/auth/login to get a JWT cookie. 3. Call the vulnerable endpoint: POST /api/v1/account/login with the user's email and credential. The response body contains the full user object including the bcrypt password hash in data.user.credential. # Impact - Offline password cracking: Exposed bcrypt hashes can be cracked with hashcat/john. - Credential stuffing against other services where users reuse passwords. - Privilege escalation if a lower-privileged user cracks an admin's password.
La source⚠️ https://gist.github.com/YLChen-007/50a553f09aa1c7c04ce18cec13986a91
Utilisateur
 Eric-a (UID 96353)
Soumission11/03/2026 14:54 (il y a 3 mois)
Modérer06/05/2026 09:40 (2 months later)
StatutAccepté
Entrée VulDB361273 [FlowiseAI Flowise jusqu’à 3.0.12 API Response account.service.ts login divulgation d'information]
Points20

PrécédentAperçuSuivant

Do you know our Splunk app?

Download it now for free!