提交 #777659: FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)信息

标题	FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200)
描述	# Technical Details An Unauthenticated Credential Hash Exposure vulnerability exists in the `verify()` method in `packages/server/src/enterprise/services/account.service.ts` of FlowiseAI Flowise. The POST /api/v1/account/verify endpoint is in WHITELIST_URLS and requires no authentication. The verify() method loads the full User entity including the credential column via readUserByToken(), then returns the entire unsanitized object to the HTTP response. This is an incomplete fix for PR #5167 (commit 9e178d6) which correctly applied sanitizeUser() to resetPassword() and updateUser() but missed verify(). # Vulnerable Code File: packages/server/src/enterprise/services/account.service.ts (lines 507-530) Method: verify() Why: The function loads the full user entity with readUserByToken(), assigns it to data.user, saves it, and returns data — all without calling sanitizeUser() or deleting the credential field. The endpoint is whitelisted in constants.ts line 30 and requires no authentication. # Reproduction 1. Deploy Flowise: docker run -d --name flowise-verify -p 3000:3000 flowiseai/flowise:latest 2. Register an account. 3. Set a verification token in the database (simulating email verification flow). 4. Call the unauthenticated endpoint: POST /api/v1/account/verify with {"user":{"tempToken":"<token>"}} 5. The response contains the full user object including the bcrypt credential hash. # Impact - Unauthenticated attacker can retrieve bcrypt password hashes via valid tempToken. - Offline password cracking with hashcat/john. - Credential stuffing against other services. - Every user who verifies their email receives their hash in the browser network tab.
来源	⚠️ https://gist.github.com/YLChen-007/1d52497b0221835f99367be61612746b
用户	Eric-a (UID 96353)
提交	2026-03-11 15時01分 (3 月前)
管理	2026-05-06 09時40分 (2 months later)
状态	已接受
VulDB条目	361276 [FlowiseAI Flowise 直到 3.0.12 Endpoint account.service.ts verify 信息公开]
积分	20

◂ 上一步一览下一步 ▸

Do you need the next level of professionalism?

Upgrade your account now!