GHSA-59fh-9f3p-7m39 — MEDIUM

Q: Is GHSA-59fh-9f3p-7m39 actively exploited?

No confirmed active exploitation of GHSA-59fh-9f3p-7m39 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-59fh-9f3p-7m39?

1. Patch: upgrade to Flowise 3.1.2 which introduces field allowlisting in the user update endpoint to block mass assignment. 2. Interim network control: restrict Flowise admin and API access to trusted IP ranges or place behind a VPN to reduce the session-theft surface required for exploitation. 3. Detection: audit API gateway or web server logs for PUT /api/v1/user requests containing a 'credential' field in the body while absent of 'oldPassword' — this pattern is the attack signature. 4. Rotate all LLM provider API keys and integration credentials stored in any Flowise instance that may have been exposed. 5. Force re-authentication for all active Flowise sessions post-patching. 6. Review Flowise access logs and workflow change history for unexpected account activity or configuration modifications in the period prior to patching.

Q: What systems are affected by GHSA-59fh-9f3p-7m39?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, AI pipeline management.

Q: What is the CVSS score for GHSA-59fh-9f3p-7m39?

No CVSS score has been assigned yet.

CISO Take

Flowise, a widely deployed open-source AI agent and workflow builder, contains a mass assignment flaw (CWE-915) in its PUT /api/v1/user endpoint that lets any authenticated user directly overwrite their stored password hash — bypassing current password verification, bcrypt re-hashing, policy enforcement, and session invalidation in a single crafted API call. Although an ID check prevents horizontal account takeover, this vulnerability creates a reliable persistence pathway: an adversary with even brief session access (via XSS, JWT token leak, or a shared device) can permanently commandeer the account before the window closes. With 79 historical CVEs in the Flowise npm package and a trivial single-request PoC published in the advisory, any internet-exposed Flowise instance managing LLM API keys, agent configurations, or customer data should be treated as urgently at risk. Upgrade to Flowise 3.1.2 immediately; as an interim control, restrict network access to trusted IP ranges and monitor PUT /api/v1/user traffic for requests that include a 'credential' field without 'oldPassword'.

Sources: GitHub Advisory ATLAS

What is the risk?

Operationally higher risk than the medium CVSS label suggests for AI-centric teams. Exploitation requires only a valid JWT — obtainable through routine web attack vectors (XSS, phishing, credential stuffing) — and a pre-computed bcrypt hash, making the exploitation bar trivially low. The attack is silent: no password policy triggers fire, no session invalidation occurs, and no secondary notification is sent to the account owner. Flowise instances typically hold high-value assets including LLM provider API keys, agent orchestration logic, and RAG data sources, amplifying impact well beyond a standard account compromise. No KEV listing or EPSS data are available, but the published PoC in the advisory effectively eliminates the exploit development barrier for any authenticated attacker.

Attack Kill Chain

Initial Access

Attacker obtains a valid Flowise JWT token via XSS in the chat interface, token interception, phishing, or a shared/compromised device session

AML.T0012

Exploitation

Attacker submits a crafted PUT /api/v1/user request with a self-generated bcrypt hash in the 'credential' field, bypassing all password change security controls at the service layer

AML.T0049

Credential Persistence

Database password hash is silently overwritten with no session invalidation, policy check, or owner notification, granting the attacker durable independent account control

AML.T0106

Impact

Attacker leverages persistent access to harvest LLM provider API keys, exfiltrate data processed by AI agent workflows, and modify pipeline configurations for further exploitation or sabotage

AML.T0083

Initial Access

Attacker obtains a valid Flowise JWT token via XSS in the chat interface, token interception, phishing, or a shared/compromised device session

AML.T0012

Exploitation

Attacker submits a crafted PUT /api/v1/user request with a self-generated bcrypt hash in the 'credential' field, bypassing all password change security controls at the service layer

AML.T0049

Credential Persistence

Database password hash is silently overwritten with no session invalidation, policy check, or owner notification, granting the attacker durable independent account control

AML.T0106

Impact

Attacker leverages persistent access to harvest LLM provider API keys, exfiltrate data processed by AI agent workflows, and modify pipeline configurations for further exploitation or sabotage

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.1.1	`3.1.2`

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Patch: upgrade to Flowise 3.1.2 which introduces field allowlisting in the user update endpoint to block mass assignment.
Interim network control: restrict Flowise admin and API access to trusted IP ranges or place behind a VPN to reduce the session-theft surface required for exploitation.
Detection: audit API gateway or web server logs for PUT /api/v1/user requests containing a 'credential' field in the body while absent of 'oldPassword' — this pattern is the attack signature.
Rotate all LLM provider API keys and integration credentials stored in any Flowise instance that may have been exposed.
Force re-authentication for all active Flowise sessions post-patching.
Review Flowise access logs and workflow change history for unexpected account activity or configuration modifications in the period prior to patching.

Classification

Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2.2 - Information security in AI system development

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-59fh-9f3p-7m39?

Flowise, a widely deployed open-source AI agent and workflow builder, contains a mass assignment flaw (CWE-915) in its PUT /api/v1/user endpoint that lets any authenticated user directly overwrite their stored password hash — bypassing current password verification, bcrypt re-hashing, policy enforcement, and session invalidation in a single crafted API call. Although an ID check prevents horizontal account takeover, this vulnerability creates a reliable persistence pathway: an adversary with even brief session access (via XSS, JWT token leak, or a shared device) can permanently commandeer the account before the window closes. With 79 historical CVEs in the Flowise npm package and a trivial single-request PoC published in the advisory, any internet-exposed Flowise instance managing LLM API keys, agent configurations, or customer data should be treated as urgently at risk. Upgrade to Flowise 3.1.2 immediately; as an interim control, restrict network access to trusted IP ranges and monitor PUT /api/v1/user traffic for requests that include a 'credential' field without 'oldPassword'.

Is GHSA-59fh-9f3p-7m39 actively exploited?

No confirmed active exploitation of GHSA-59fh-9f3p-7m39 has been reported, but organizations should still patch proactively.

How to fix GHSA-59fh-9f3p-7m39?

1. Patch: upgrade to Flowise 3.1.2 which introduces field allowlisting in the user update endpoint to block mass assignment. 2. Interim network control: restrict Flowise admin and API access to trusted IP ranges or place behind a VPN to reduce the session-theft surface required for exploitation. 3. Detection: audit API gateway or web server logs for PUT /api/v1/user requests containing a 'credential' field in the body while absent of 'oldPassword' — this pattern is the attack signature. 4. Rotate all LLM provider API keys and integration credentials stored in any Flowise instance that may have been exposed. 5. Force re-authentication for all active Flowise sessions post-patching. 6. Review Flowise access logs and workflow change history for unexpected account activity or configuration modifications in the period prior to patching.

What systems are affected by GHSA-59fh-9f3p-7m39?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, AI pipeline management.

What is the CVSS score for GHSA-59fh-9f3p-7m39?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary A Mass Assignment vulnerability in the PUT /api/v1/user endpoint allows authenticated users to directly modify restricted user fields, including the credential (password hash), bypassing the intended password change workflow. Because the endpoint forwards the entire request body to the service layer without filtering, an attacker can override the credential field without providing the current password. This bypasses several security protections including: - old password verification - password hashing enforcement - password policy validation - session invalidation on password change While the vulnerability cannot be used to modify other users due to an ID check in the controller, it allows attackers who obtain a temporary session (e.g., via token theft or XSS) to establish persistent account access. ### Details The endpoint **PUT /api/v1/user** allows authenticated users to update their user profile. The controller checks that the authenticated user matches the provided id, preventing direct IDOR: ```typescript const currentUser = req.user const { id } = req.body if (currentUser.id !== id) { throw new InternalFlowiseError(StatusCodes.FORBIDDEN) } ``` However, the controller forwards the entire request body directly to the service layer without filtering: ```typescript const user = await userService.updateUser(req.body) ``` Inside UserService.updateUser, the incoming data is merged into the existing user entity: ```typescript updatedUser = queryRunner.manager.merge(User, oldUserData, newUserData) ``` Because newUserData is derived from req.body and there is no field allowlist, any field present in the User entity may be modified. This includes sensitive fields such as: - credential - tempToken - tokenExpiry - status - email The service implements a secure password change workflow that requires the following fields: ```typescript oldPassword newPassword confirmPassword ``` Example code: ```typescript if (newUserData.oldPassword && newUserData.newPassword && newUserData.confirmPassword) { if (!compareHash(newUserData.oldPassword, oldUserData.credential)) { throw new InternalFlowiseError(StatusCodes.BAD_REQUEST) } newUserData.credential = this.encryptUserCredential(newUserData.newPassword) } ``` However, this logic can be bypassed by directly supplying a credential value in the request body. Because the merge operation applies all fields from newUserData, the supplied credential hash will overwrite the stored password hash. ### PoC **Step 1 - Authenticate** Login as any normal user and obtain a valid JWT token. **POST /api/v1/auth/login** **Step 2 - Generate a password hash** Generate a bcrypt hash for a password you control. Example: bcrypt("attacker_password") Example hash: $2b$10$abc123examplehashvalue... Step 3 - Send crafted update request ```http PUT /api/v1/user Authorization: Bearer <JWT_TOKEN> Content-Type: application/json { "id": "<your-user-id>", "credential": "$2b$10$abc123examplehashvalue..." } ``` Step 4 - Login with attacker password The password hash in the database is replaced by the supplied value. The attacker can now authenticate using: **attacker_password** without ever providing the previous password. ### Impact This vulnerability allows authenticated users to bypass the password change security controls. Security protections that are bypassed include: current password verification password hashing enforcement password policy validation session invalidation on password change Although the controller prevents modification of other users' accounts, the vulnerability enables persistence after account compromise. Example attack scenario: - An attacker temporarily obtains a user's session (XSS, token leak, shared device, etc.) - The attacker sends the crafted update request with a new password hash - The attacker now permanently controls the account - Authentication logic bypass - Privilege persistence after compromise - Weak account recovery guarantees

Exploitation Scenario

An attacker targeting an organization using Flowise to manage AI agent workflows first obtains a valid user JWT through XSS in the Flowise chat interface or a phishing-delivered token from a legitimate user. Using this temporary session, the attacker generates a bcrypt hash for a password under their control and submits a single crafted PUT /api/v1/user request with the 'credential' field set to that hash. No previous password is required; the service layer merges the full request body into the user entity without field filtering, directly overwriting the stored hash. The attacker discards the stolen session and later authenticates with their chosen password, gaining persistent full access to the Flowise instance's LLM API keys, agent configurations, and all data processed by connected AI workflows — with no evidence of the original session theft remaining visible in authentication logs.