FlowiseAI Flowise Unauthenticated Credential Hash Exposure Vulnerability

A vulnerability exists in FlowiseAI Flowise versions through 3.0.12, specifically in the account verification endpoint. This issue allows for information disclosure by exposing users' bcrypt password hashes in the response of the verification API. The vulnerability arises because the verification method retrieves the full user entity, including the credential hash, and returns it without proper sanitization. The endpoint is whitelisted for unauthenticated access, enabling remote exploitation. This vulnerability is considered to have high complexity, making exploitation difficult.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker with a valid verification token to access a user's bcrypt password hash, which can be cracked offline. This exposure could lead to credential stuffing if the user reuses passwords across different services. Additionally, the vulnerability could be exploited through server-side logging, which might capture the exposed hash in plaintext.

Reproduction

To reproduce this vulnerability, register a user account on a Flowise instance that requires email verification. After registration, intercept the verification token sent via email. Then, make an unauthenticated POST request to the '/api/v1/account/verify' endpoint, including the intercepted verification token in the request body. The response will contain the user's bcrypt password hash, which can be extracted and cracked offline.

Remediation

Users are advised to upgrade to the patched version of FlowiseAI Flowise.