Flowise Authentication Bypass Vulnerability in Account Password Reset Function

An authentication bypass vulnerability has been identified in FlowiseAI Flowise versions prior to 3.1.0. The issue arises in the resetPassword method of the AccountService class, where no validation is performed to ensure that a password reset token has been generated for a user. This flaw allows remote attackers to reset a user's password to a value of their choice, exploiting the absence of a token verification check. By default, the reset token is null or an empty string if the user has previously reset their password. Attackers aware of a user's email can send a request to the password reset endpoint with a null or empty token, bypassing authentication requirements.

Impact

Exploitation of this vulnerability allows attackers to reset user passwords and bypass authentication, gaining unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, create a user account and wait for 15 minutes or the duration set in the PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES environment variable. Then, send a POST request to the '/api/v1/account/reset-password' endpoint with a null or empty string as the reset token and a new password. The request will successfully change the user's password, allowing access to the account.

Remediation

Users can update to Flowise version 3.1.0 or later, where this vulnerability has been patched.