提交 #777656: FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)信息

标题	FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)
描述	# Technical Details A Bcrypt Password Hash Exposure vulnerability exists in the login() method in packages/server/src/enterprise/services/account.service.ts of FlowiseAI Flowise. The application fails to sanitize user objects before returning them in API responses. The login() function loads the full user entity from the database via readUserByEmail(), validates the password, then returns the entire unsanitized user object — including the bcrypt credential hash, tempToken, and tokenExpiry — directly to the HTTP response. The saveInviteAccount() existing-user branch has the same flaw. Both are incomplete fix variants of PR #5167 which introduced sanitizeUser() but only applied it to forgotPassword(), resetPassword(), and updateUser(). # Vulnerable Code File: packages/server/src/enterprise/services/account.service.ts Method: login() (line 450-505) and saveInviteAccount() (line 376-377) Why: The function returns the raw user entity with the credential hash without calling sanitizeUser() or deleting sensitive fields, unlike the correctly patched functions (updateUser, saveRegisterAccount). # Reproduction 1. Deploy Flowise via Docker: docker run -d --name flowise-test -p 3000:3000 flowiseai/flowise:latest 2. Create an account and authenticate via POST /api/v1/auth/login to get a JWT cookie. 3. Call the vulnerable endpoint: POST /api/v1/account/login with the user's email and credential. The response body contains the full user object including the bcrypt password hash in data.user.credential. # Impact - Offline password cracking: Exposed bcrypt hashes can be cracked with hashcat/john. - Credential stuffing against other services where users reuse passwords. - Privilege escalation if a lower-privileged user cracks an admin's password.
来源	⚠️ https://gist.github.com/YLChen-007/50a553f09aa1c7c04ce18cec13986a91
用户	Eric-a (UID 96353)
提交	2026-03-11 14時54分 (3 月前)
管理	2026-05-06 09時40分 (2 months later)
状态	已接受
VulDB条目	361273 [FlowiseAI Flowise 直到 3.0.12 API Response account.service.ts login 信息公开]
积分	20

◂ 上一步一览下一步 ▸

Want to know what is going to be exploited?

We predict KEV entries!