提出 #777656: FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)情報

タイトル	FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)
説明	# Technical Details A Bcrypt Password Hash Exposure vulnerability exists in the login() method in packages/server/src/enterprise/services/account.service.ts of FlowiseAI Flowise. The application fails to sanitize user objects before returning them in API responses. The login() function loads the full user entity from the database via readUserByEmail(), validates the password, then returns the entire unsanitized user object — including the bcrypt credential hash, tempToken, and tokenExpiry — directly to the HTTP response. The saveInviteAccount() existing-user branch has the same flaw. Both are incomplete fix variants of PR #5167 which introduced sanitizeUser() but only applied it to forgotPassword(), resetPassword(), and updateUser(). # Vulnerable Code File: packages/server/src/enterprise/services/account.service.ts Method: login() (line 450-505) and saveInviteAccount() (line 376-377) Why: The function returns the raw user entity with the credential hash without calling sanitizeUser() or deleting sensitive fields, unlike the correctly patched functions (updateUser, saveRegisterAccount). # Reproduction 1. Deploy Flowise via Docker: docker run -d --name flowise-test -p 3000:3000 flowiseai/flowise:latest 2. Create an account and authenticate via POST /api/v1/auth/login to get a JWT cookie. 3. Call the vulnerable endpoint: POST /api/v1/account/login with the user's email and credential. The response body contains the full user object including the bcrypt password hash in data.user.credential. # Impact - Offline password cracking: Exposed bcrypt hashes can be cracked with hashcat/john. - Credential stuffing against other services where users reuse passwords. - Privilege escalation if a lower-privileged user cracks an admin's password.
ソース	⚠️ https://gist.github.com/YLChen-007/50a553f09aa1c7c04ce18cec13986a91
ユーザー	Eric-a (UID 96353)
送信	2026年03月11日 14:54 (3 月 ago)
モデレーション	2026年05月06日 09:40 (2 months later)
ステータス	承諾済み
VulDBエントリ	361273 [FlowiseAI Flowise 迄 3.0.12 API Response account.service.ts login 情報漏えい]
ポイント	20

◂ 前概要次 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!