GHSA-m837-xvxr-vqwg: Flowise: hardcoded CORS wildcard enables drive-by credential abuse
GHSA-m837-xvxr-vqwg MEDIUMFlowise's TTS endpoint hardcodes Access-Control-Allow-Origin: * regardless of the platform's own restrictive CORS configuration, meaning any malicious webpage can silently invoke speech synthesis using a victim's stored session credentials — zero privileges required beyond socially engineering a single click. With 79 CVEs tracked in the flowise package and this being one of multiple simultaneous credential abuse vectors reported together, this reflects systemic security debt in a widely-deployed AI workflow platform. EPSS data is unavailable and this is not in CISA KEV, but trivial exploit complexity — a browser fetch() call suffices — makes formal scores irrelevant to prioritization here. Upgrade to Flowise 3.1.2 immediately; if patching is blocked, enforce Origin header validation at the reverse proxy and monitor TTS endpoint logs for cross-origin call anomalies.
What is the risk?
Medium severity with high practical exploitability. The hardcoded wildcard header bypasses CORS controls with no attacker privileges and no specialized knowledge required — any adversary who can serve a webpage can trigger this. The primary risk amplifier is Flowise's role as an AI workflow orchestration platform: credential abuse here can cascade into broader agent compromise, cost harvesting via excessive AI API calls, or serve as a pivot into more sensitive endpoints sharing the same authenticated session context. Exploitation likelihood is limited mainly by the need to lure a logged-in Flowise user to a malicious page, a low bar given phishing or watering-hole delivery.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | <= 3.1.1 | 3.1.2 |
Do you use Flowise? You're affected.
How severe is it?
What should I do?
5 steps-
Patch immediately: upgrade to Flowise 3.1.2, which removes the hardcoded CORS headers and correctly defers to the platform's configurable CORS policy.
-
Reverse proxy defense: if patching is blocked, add an explicit deny rule at the reverse proxy (nginx/Caddy) for the TTS endpoint on requests carrying a foreign Origin header.
-
CORS audit: treat this as a pattern signal — audit all other Flowise controller files for similar hardcoded Access-Control-Allow-Origin headers, as the same mistake may exist elsewhere.
-
Detection: alert on TTS endpoint calls whose Referer or Origin headers do not match your Flowise deployment domain.
-
Credential hygiene: rotate session tokens for any users who may have accessed Flowise from shared or untrusted devices since the endpoint was first deployed.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-m837-xvxr-vqwg?
Flowise's TTS endpoint hardcodes Access-Control-Allow-Origin: * regardless of the platform's own restrictive CORS configuration, meaning any malicious webpage can silently invoke speech synthesis using a victim's stored session credentials — zero privileges required beyond socially engineering a single click. With 79 CVEs tracked in the flowise package and this being one of multiple simultaneous credential abuse vectors reported together, this reflects systemic security debt in a widely-deployed AI workflow platform. EPSS data is unavailable and this is not in CISA KEV, but trivial exploit complexity — a browser fetch() call suffices — makes formal scores irrelevant to prioritization here. Upgrade to Flowise 3.1.2 immediately; if patching is blocked, enforce Origin header validation at the reverse proxy and monitor TTS endpoint logs for cross-origin call anomalies.
Is GHSA-m837-xvxr-vqwg actively exploited?
No confirmed active exploitation of GHSA-m837-xvxr-vqwg has been reported, but organizations should still patch proactively.
How to fix GHSA-m837-xvxr-vqwg?
1. Patch immediately: upgrade to Flowise 3.1.2, which removes the hardcoded CORS headers and correctly defers to the platform's configurable CORS policy. 2. Reverse proxy defense: if patching is blocked, add an explicit deny rule at the reverse proxy (nginx/Caddy) for the TTS endpoint on requests carrying a foreign Origin header. 3. CORS audit: treat this as a pattern signal — audit all other Flowise controller files for similar hardcoded Access-Control-Allow-Origin headers, as the same mistake may exist elsewhere. 4. Detection: alert on TTS endpoint calls whose Referer or Origin headers do not match your Flowise deployment domain. 5. Credential hygiene: rotate session tokens for any users who may have accessed Flowise from shared or untrusted devices since the endpoint was first deployed.
What systems are affected by GHSA-m837-xvxr-vqwg?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow platforms, self-hosted LLM orchestration, model serving.
What is the CVSS score for GHSA-m837-xvxr-vqwg?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0034 Cost Harvesting AML.T0049 Exploit Public-Facing Application AML.T0078 Drive-by Compromise Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary The TTS generation endpoint sets `Access-Control-Allow-Origin: *` as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials. ### Root Cause ```typescript // packages/server/src/controllers/text-to-speech/index.ts:83 res.setHeader('Access-Control-Allow-Origin', '*') res.setHeader('Access-Control-Allow-Headers', 'Cache-Control') ``` ### Impact - Cross-origin credential abuse — any webpage can trigger TTS using stored credentials - Bypasses the server's CORS policy (`getCorsOptions()`) which is otherwise restrictive by default - Combined with Finding 3 (TTS credential abuse), enables drive-by credential abuse via malicious webpages ### Suggested Fix Remove the hardcoded CORS wildcard and let the server's CORS middleware handle the headers: ```typescript // Remove these lines: // res.setHeader('Access-Control-Allow-Origin', '*') // res.setHeader('Access-Control-Allow-Headers', 'Cache-Control') ``` --- ## References - `packages/server/src/controllers/text-to-speech/index.ts` line 83
Exploitation Scenario
An attacker targeting a security team that uses Flowise for AI workflow automation crafts a malicious webpage embedding a JavaScript snippet that silently POSTs to the victim organization's internal Flowise TTS endpoint with attacker-controlled text. A phishing email lures a Flowise-authenticated analyst to the page. The browser sends the cross-origin request with the victim's session cookie; the hardcoded wildcard header causes the browser to accept the response rather than blocking it under same-origin policy. The attacker confirms a successful authenticated call and can iterate: probing what text was synthesized to infer platform content, triggering repeated calls to inflate the organization's OpenAI TTS spend, or using the confirmed session state as a beachhead to enumerate other Flowise endpoints that share the same credential context and lack the same CORS override.
Weaknesses (CWE)
CWE-942 — Permissive Cross-domain Security Policy with Untrusted Domains: The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
- [Architecture and Design, Operation] Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
- [Architecture and Design, Operation] Avoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2025-71338 10.0 Flowise: unauthenticated file write enables RCE
Same package: flowise CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise