GHSA-5fw2-mwhh-9947

### Summary The text-to-speech generation endpoint (`POST /api/v1/text-to-speech/generate`) is whitelisted (no auth) and accepts a `credentialId` directly in the request body. When called without a `chatflowId`, the endpoint uses the provided `credentialId` to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. ### Root Cause ```typescript // packages/server/src/controllers/text-to-speech/index.ts:58-64 } else { // Use TTS config from request body provider = bodyProvider credentialId = bodyCredentialId // ← attacker-controlled credential ID voice = bodyVoice model = bodyModel } ``` ### Docker Validation `POST /api/v1/text-to-speech/generate` with arbitrary `credentialId` in body: endpoint processes request, sends SSE `tts_start` event, only fails when credential doesn't exist — proves code path runs without authentication. ### Impact - Use victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization - Burn API credits on the victim's account - Generate unlimited speech content at victim's expense - Combined with credential ID leak from Finding 2, this is trivially exploitable ### Suggested Fix Remove the TTS endpoint from `WHITELIST_URLS` or validate that the credential belongs to the chatflow being used: ```typescript // Only allow credentialId when it matches the chatflow's TTS configuration if (!chatflowId) { return res.status(401).json({ message: 'Authentication required' }) } ``` --- ## References - `packages/server/src/controllers/text-to-speech/index.ts` lines 10-162 - `packages/server/src/utils/constants.ts` line 41 (whitelist entry) ## Credits - Shinobi Security - https://github.com/shinobisecurity