CVE-2025-58434 Scanner

Flowise is used by organizations to build AI agents visually, facilitating easy and interactive machine learning model creation and deployment. It is often utilized by developers, data scientists, and IT professionals seeking an intuitive way to engage in AI-driven tasks. The software supports integration into larger data ecosystems, allowing teams to create precise AI functionalities tailored to specific business needs. Due to its flexibility, Flowise is suitable for industries ranging from marketing to finance, assisting in predictive analysis and decision-making. A crucial aspect of its popularity is the capability to manage AI agents without extensive programming knowledge, making it accessible for various skill levels. Its comprehensive user interface enables rapid testing and deployment, enhancing the efficiency of AI development processes.

The Account Takeover vulnerability detected in Flowise allows unauthorized users to gain control over accounts. This vulnerability resides in the forgot-password endpoint, which provides valid reset tokens without authentication. Attackers can utilize this flaw to reset passwords and subsequently take over user accounts. This poses a significant security risk as unauthorized access can lead to data breaches and unauthorized manipulation of AI agents. Protecting sensitive information and ensuring secure access processes is vital to preventing such unauthorized activities. Organizations using Flowise need to be aware of this vulnerability to safeguard their AI and associated data effectively.

Technical details reveal that the vulnerability exists in the forgot-password API endpoint, where password reset tokens are issued without proper authentication. By sending a crafted request to the forgot-password endpoint, attackers can capture valid tokens due to improper validation processes. These valid tokens can then be used in subsequent requests to the reset-password endpoint, allowing an unauthorized password change. The lack of authentication checks in this process is the core of this vulnerability, permitting unauthorized account access under the guise of a legitimate user. This process exposes the service to potential account hijacks, further exacerbating the risk of data compromise and malicious activity.

Exploitation of this vulnerability could result in unauthorized access to user accounts, leading to potential data breaches and loss of sensitive information. Attackers could manipulate AI agents, alter data, and potentially sabotage business-critical systems. Without mitigation, these unauthorized activities may result in financial losses, reputational damage, and legal implications for organizations using Flowise. The security breach could also undermine trust with customers and stakeholders, affecting business operations adversely.

REFERENCES

• https://github.com/advisories/GHSA-wgpv-6j63-x5ph
• https://nvd.nist.gov/vuln/detail/CVE-2025-58434