VDB
CNVD-2025-21415
CNVD-2025-21415
PUBLISHED
Flowise是FlowiseAI开源的一个用于轻松构建LLM应用程序的工具。 Flowise 3.0.5及之前版本存在访问控制错误漏洞,该漏洞源于forgot-password端点未经验证返回密码重置令牌,攻击者可利用该漏洞导致账户接管。
Exploit Intelligence
- Full walkthrough of HackTheBox "Silentium" (Medium/Linux). Chains three CVEs: CVE-2025-58434 leaks a Flowise password reset token unauthenticated, enabling account takeover; CVE-2025-59528 achieves RCE via unsanitized CustomMCP node; env vars expose SSH credentials for lateral movement. CVE-2025-8110 exploits Gogs symlink write as root to escalate. (github-poc-repo)
- Full walkthrough of HackTheBox "Silentium" (Medium/Linux). Chains three CVEs: CVE-2025-58434 leaks a Flowise password reset token unauthenticated, enabling account takeover; CVE-2025-59528 achieves RCE via unsanitized CustomMCP node; env vars expose SSH credentials for lateral movement. CVE-2025-8110 exploits Gogs symlink write as root to escalate. (github-poc-repo)
- Full walkthrough of HackTheBox "Silentium" (Medium/Linux). Chains three CVEs: CVE-2025-58434 leaks a Flowise password reset token unauthenticated, enabling account takeover; CVE-2025-59528 achieves RCE via unsanitized CustomMCP node; env vars expose SSH credentials for lateral movement. CVE-2025-8110 exploits Gogs symlink write as root to escalate. (github-poc)
- Full walkthrough of HackTheBox "Silentium" (Medium/Linux). Chains three CVEs: CVE-2025-58434 leaks a Flowise password reset token unauthenticated, enabling account takeover; CVE-2025-59528 achieves RCE via unsanitized CustomMCP node; env vars expose SSH credentials for lateral movement. CVE-2025-8110 exploits Gogs symlink write as root to escalate. (github-poc)
- This repository contains a Proof of Concept (PoC) Python script for CVE-2025-58434, which enables attackers to change passwords of other users without authentication process in flowise version 3.0.5 and lower due to token leakage. (github-poc-repo)
- This repository contains a Proof of Concept (PoC) Python script for CVE-2025-58434, which enables attackers to change passwords of other users without authentication process in flowise version 3.0.5 and lower due to token leakage. (github-poc-repo)
- This repository contains a Proof of Concept (PoC) Python script for CVE-2025-58434, which enables attackers to change passwords of other users without authentication process in flowise version 3.0.5 and lower due to token leakage. (github-poc)
- This repository contains a Proof of Concept (PoC) Python script for CVE-2025-58434, which enables attackers to change passwords of other users without authentication process in flowise version 3.0.5 and lower due to token leakage. (github-poc)
- CVE-2025-58434 and CVE-2025-59528 chain POC (github-poc-repo)
- CVE-2025-58434 and CVE-2025-59528 chain POC (github-poc-repo)
…and 64 more exploits
Timeline
- Sep 12, 2025 CVE Published