AI Threat Alert
CVE-2025-71328
HIGHFlowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | — | No patch |
Do you use Flowise? You're affected.
How severe is it?
What is the attack surface?
What should I do?
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2025-71328?
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
Is CVE-2025-71328 actively exploited?
No confirmed active exploitation of CVE-2025-71328 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-71328?
No patch is currently available. Monitor vendor advisories for updates.
What is the CVSS score for CVE-2025-71328?
CVE-2025-71328 has a CVSS v3.1 base score of 8.3 (HIGH).
What are the technical details?
Original Advisory
Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.
Weaknesses (CWE)
CWE-620 — Unverified Password Change: When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
- [Architecture and Design] When prompting for a password change, force the user to provide the original password in addition to the new password.
- [Architecture and Design] Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L References
- github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch vendor-advisory
- vulncheck.com/advisories/flowise-unverified-password-change-via-account-settings third-party-advisory
Timeline
Related Vulnerabilities
CVE-2025-71338 10.0 Analysis pending
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise