{"data":{"id":"b18ab1f0-15f4-4954-b773-bc29fcf73cf5","title":"CVE-2025-58434: Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, t","summary":"Flowise, a tool for building custom AI workflows through a visual interface, has a critical security flaw in versions 3.0.5 and earlier where the password reset endpoint leaks sensitive information like reset tokens without requiring authentication. This allows attackers to take over any user account by generating a fake reset token and changing the user's password.","solution":"Upgrade to version 3.0.6 or later, which includes commit 9e178d68873eb876073846433a596590d3d9c863 that secures password reset endpoints. The source also recommends: (1) never return reset tokens or account details in API responses; (2) send tokens only through the user's registered email; (3) make the forgot-password endpoint respond with a generic success message to prevent attackers from discovering which accounts exist; (4) require strong validation of reset tokens, including making them single-use, giving them a short expiration time, and tying them to the request origin; and (5) apply these same fixes to both cloud and self-hosted deployments.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-58434","publishedAt":"2025-09-12T18:15:34.847Z","cveId":"CVE-2025-58434","cweIds":["CWE-306"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.07566,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-115"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}