Gửi #777656: FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)thông tin

tiêu đề	FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)
Mô tả	# Technical Details A Bcrypt Password Hash Exposure vulnerability exists in the login() method in packages/server/src/enterprise/services/account.service.ts of FlowiseAI Flowise. The application fails to sanitize user objects before returning them in API responses. The login() function loads the full user entity from the database via readUserByEmail(), validates the password, then returns the entire unsanitized user object — including the bcrypt credential hash, tempToken, and tokenExpiry — directly to the HTTP response. The saveInviteAccount() existing-user branch has the same flaw. Both are incomplete fix variants of PR #5167 which introduced sanitizeUser() but only applied it to forgotPassword(), resetPassword(), and updateUser(). # Vulnerable Code File: packages/server/src/enterprise/services/account.service.ts Method: login() (line 450-505) and saveInviteAccount() (line 376-377) Why: The function returns the raw user entity with the credential hash without calling sanitizeUser() or deleting sensitive fields, unlike the correctly patched functions (updateUser, saveRegisterAccount). # Reproduction 1. Deploy Flowise via Docker: docker run -d --name flowise-test -p 3000:3000 flowiseai/flowise:latest 2. Create an account and authenticate via POST /api/v1/auth/login to get a JWT cookie. 3. Call the vulnerable endpoint: POST /api/v1/account/login with the user's email and credential. The response body contains the full user object including the bcrypt password hash in data.user.credential. # Impact - Offline password cracking: Exposed bcrypt hashes can be cracked with hashcat/john. - Credential stuffing against other services where users reuse passwords. - Privilege escalation if a lower-privileged user cracks an admin's password.
Nguồn	⚠️ https://gist.github.com/YLChen-007/50a553f09aa1c7c04ce18cec13986a91
Người dùng	Eric-a (UID 96353)
Đệ trình	11/03/2026 14:54 (cách đây 3 các tháng)
Kiểm duyệt	06/05/2026 09:40 (2 months later)
Trạng thái	được chấp nhận
Mục VulDB	361273 [FlowiseAI Flowise đến 3.0.12 API Response account.service.ts login tiết lộ thông tin]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!