Flowise Credential Data Leak Vulnerability

A vulnerability in Flowise prior to version 3.1.2 allows authenticated users to access unredacted encrypted credential data, such as API keys and tokens, when using the 'credentialName' filter parameter. This data leak occurs because the 'encryptedData' field is not properly omitted from the response when the filter is applied, despite the code correctly excluding it when no filter is used. The issue has been patched in version 3.1.2.

Impact

Exploitation of this vulnerability allows for the extraction of encrypted credential data, including API keys, passwords, and service tokens. If the encryption key file is accessible, this enables full credential theft.

Reproduction

To reproduce this vulnerability, send a request to the Flowise API credentials endpoint with the 'credentialName' filter parameter. The response will include the 'encryptedData' field containing AES-encrypted credentials, such as OpenAI API keys, despite the expectation that this data should be omitted when the filter is used.

Remediation

Users can update to Flowise version 3.1.2, where this vulnerability has been fixed.