Password Reset Vulnerability in Flowise Affects User Accounts

CVE-2025-58434

What is CVE-2025-58434?

CVE-2025-58434 is a security vulnerability identified in Flowise, a drag-and-drop user interface designed for constructing customized large language model workflows. This vulnerability exists in versions 3.0.5 and earlier, specifically related to the forgot-password endpoint. Under certain circumstances, this endpoint improperly exposes sensitive information, allowing an attacker to obtain a valid password reset tempToken without any authentication or verification. As a result, malicious users can generate password reset tokens for any user account, potentially leading to complete account takeover (ATO). This poses a significant risk for organizations as it undermines the integrity of user accounts and could enable further attacks or data breaches. The vulnerability affects both the cloud version and self-hosted deployments of Flowise that utilize the same API interface.

Potential Impact of CVE-2025-58434

1. Account Takeover: The most immediate and severe impact is the potential for account takeover. An attacker leveraging this vulnerability can reset passwords arbitrarily, granting them access to sensitive user accounts, potentially leading to unauthorized access to organization data.

2. Data Breach Risk: The exploitation of this vulnerability can facilitate data breaches, as attackers may gain access to confidential user information, proprietary data, or other critical resources tied to compromised accounts.

3. Reputational Damage: Organizations affected by this vulnerability may suffer significant reputational harm. The loss of user trust resulting from compromised accounts and data breaches can have long-lasting effects on customer relationships and brand integrity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References