GHSA-m837-xvxr-vqwg — MEDIUM

Q: Is GHSA-m837-xvxr-vqwg actively exploited?

No confirmed active exploitation of GHSA-m837-xvxr-vqwg has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-m837-xvxr-vqwg?

1. Patch immediately: upgrade to Flowise 3.1.2, which removes the hardcoded CORS headers and correctly defers to the platform's configurable CORS policy. 2. Reverse proxy defense: if patching is blocked, add an explicit deny rule at the reverse proxy (nginx/Caddy) for the TTS endpoint on requests carrying a foreign Origin header. 3. CORS audit: treat this as a pattern signal — audit all other Flowise controller files for similar hardcoded Access-Control-Allow-Origin headers, as the same mistake may exist elsewhere. 4. Detection: alert on TTS endpoint calls whose Referer or Origin headers do not match your Flowise deployment domain. 5. Credential hygiene: rotate session tokens for any users who may have accessed Flowise from shared or untrusted devices since the endpoint was first deployed.

Q: What systems are affected by GHSA-m837-xvxr-vqwg?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow platforms, self-hosted LLM orchestration, model serving.

Q: What is the CVSS score for GHSA-m837-xvxr-vqwg?

No CVSS score has been assigned yet.

CISO Take

Flowise's TTS endpoint hardcodes Access-Control-Allow-Origin: * regardless of the platform's own restrictive CORS configuration, meaning any malicious webpage can silently invoke speech synthesis using a victim's stored session credentials — zero privileges required beyond socially engineering a single click. With 79 CVEs tracked in the flowise package and this being one of multiple simultaneous credential abuse vectors reported together, this reflects systemic security debt in a widely-deployed AI workflow platform. EPSS data is unavailable and this is not in CISA KEV, but trivial exploit complexity — a browser fetch() call suffices — makes formal scores irrelevant to prioritization here. Upgrade to Flowise 3.1.2 immediately; if patching is blocked, enforce Origin header validation at the reverse proxy and monitor TTS endpoint logs for cross-origin call anomalies.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium severity with high practical exploitability. The hardcoded wildcard header bypasses CORS controls with no attacker privileges and no specialized knowledge required — any adversary who can serve a webpage can trigger this. The primary risk amplifier is Flowise's role as an AI workflow orchestration platform: credential abuse here can cascade into broader agent compromise, cost harvesting via excessive AI API calls, or serve as a pivot into more sensitive endpoints sharing the same authenticated session context. Exploitation likelihood is limited mainly by the need to lure a logged-in Flowise user to a malicious page, a low bar given phishing or watering-hole delivery.

Attack Kill Chain

Initial Access

Attacker hosts a malicious webpage with JavaScript that issues a cross-origin fetch to the target organization's Flowise TTS endpoint, relying on a phishing or watering-hole delivery to reach an authenticated user.

AML.T0078

Credential Abuse

Victim visits the malicious page while authenticated to Flowise; the browser attaches stored session credentials to the cross-origin request, which the hardcoded wildcard header allows through in violation of the server's own CORS policy.

AML.T0012

Exploitation

Attacker confirms successful authenticated invocation and can submit arbitrary text to the TTS engine, probing response metadata to infer platform content or configuration details.

AML.T0049

Impact

Attacker achieves unauthorized AI service usage at the victim's expense (cost harvesting), potential disclosure of text content processed by the AI platform, and a confirmed authenticated session pivot point for probing additional Flowise endpoints.

AML.T0034

Initial Access

Attacker hosts a malicious webpage with JavaScript that issues a cross-origin fetch to the target organization's Flowise TTS endpoint, relying on a phishing or watering-hole delivery to reach an authenticated user.

AML.T0078

Credential Abuse

Victim visits the malicious page while authenticated to Flowise; the browser attaches stored session credentials to the cross-origin request, which the hardcoded wildcard header allows through in violation of the server's own CORS policy.

AML.T0012

Exploitation

Attacker confirms successful authenticated invocation and can submit arbitrary text to the TTS engine, probing response metadata to infer platform content or configuration details.

AML.T0049

Impact

Attacker achieves unauthorized AI service usage at the victim's expense (cost harvesting), potential disclosure of text content processed by the AI platform, and a confirmed authenticated session pivot point for probing additional Flowise endpoints.

AML.T0034

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
flowise	npm	<= 3.1.1	`3.1.2`

Do you use flowise? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch immediately: upgrade to Flowise 3.1.2, which removes the hardcoded CORS headers and correctly defers to the platform's configurable CORS policy.
Reverse proxy defense: if patching is blocked, add an explicit deny rule at the reverse proxy (nginx/Caddy) for the TTS endpoint on requests carrying a foreign Origin header.
CORS audit: treat this as a pattern signal — audit all other Flowise controller files for similar hardcoded Access-Control-Allow-Origin headers, as the same mistake may exist elsewhere.
Detection: alert on TTS endpoint calls whose Referer or Origin headers do not match your Flowise deployment domain.
Credential hygiene: rotate session tokens for any users who may have accessed Flowise from shared or untrusted devices since the endpoint was first deployed.

Classification

Auth Bypass Data Extraction Agent API AML.T0012 - Valid Accounts AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.8.4 - AI System Security Controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to Address AI Risks Are in Place

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is GHSA-m837-xvxr-vqwg?

Flowise's TTS endpoint hardcodes Access-Control-Allow-Origin: * regardless of the platform's own restrictive CORS configuration, meaning any malicious webpage can silently invoke speech synthesis using a victim's stored session credentials — zero privileges required beyond socially engineering a single click. With 79 CVEs tracked in the flowise package and this being one of multiple simultaneous credential abuse vectors reported together, this reflects systemic security debt in a widely-deployed AI workflow platform. EPSS data is unavailable and this is not in CISA KEV, but trivial exploit complexity — a browser fetch() call suffices — makes formal scores irrelevant to prioritization here. Upgrade to Flowise 3.1.2 immediately; if patching is blocked, enforce Origin header validation at the reverse proxy and monitor TTS endpoint logs for cross-origin call anomalies.

Is GHSA-m837-xvxr-vqwg actively exploited?

No confirmed active exploitation of GHSA-m837-xvxr-vqwg has been reported, but organizations should still patch proactively.

How to fix GHSA-m837-xvxr-vqwg?

1. Patch immediately: upgrade to Flowise 3.1.2, which removes the hardcoded CORS headers and correctly defers to the platform's configurable CORS policy. 2. Reverse proxy defense: if patching is blocked, add an explicit deny rule at the reverse proxy (nginx/Caddy) for the TTS endpoint on requests carrying a foreign Origin header. 3. CORS audit: treat this as a pattern signal — audit all other Flowise controller files for similar hardcoded Access-Control-Allow-Origin headers, as the same mistake may exist elsewhere. 4. Detection: alert on TTS endpoint calls whose Referer or Origin headers do not match your Flowise deployment domain. 5. Credential hygiene: rotate session tokens for any users who may have accessed Flowise from shared or untrusted devices since the endpoint was first deployed.

What systems are affected by GHSA-m837-xvxr-vqwg?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow platforms, self-hosted LLM orchestration, model serving.

What is the CVSS score for GHSA-m837-xvxr-vqwg?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary The TTS generation endpoint sets `Access-Control-Allow-Origin: *` as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials. ### Root Cause ```typescript // packages/server/src/controllers/text-to-speech/index.ts:83 res.setHeader('Access-Control-Allow-Origin', '*') res.setHeader('Access-Control-Allow-Headers', 'Cache-Control') ``` ### Impact - Cross-origin credential abuse — any webpage can trigger TTS using stored credentials - Bypasses the server's CORS policy (`getCorsOptions()`) which is otherwise restrictive by default - Combined with Finding 3 (TTS credential abuse), enables drive-by credential abuse via malicious webpages ### Suggested Fix Remove the hardcoded CORS wildcard and let the server's CORS middleware handle the headers: ```typescript // Remove these lines: // res.setHeader('Access-Control-Allow-Origin', '*') // res.setHeader('Access-Control-Allow-Headers', 'Cache-Control') ``` --- ## References - `packages/server/src/controllers/text-to-speech/index.ts` line 83

Exploitation Scenario

An attacker targeting a security team that uses Flowise for AI workflow automation crafts a malicious webpage embedding a JavaScript snippet that silently POSTs to the victim organization's internal Flowise TTS endpoint with attacker-controlled text. A phishing email lures a Flowise-authenticated analyst to the page. The browser sends the cross-origin request with the victim's session cookie; the hardcoded wildcard header causes the browser to accept the response rather than blocking it under same-origin policy. The attacker confirms a successful authenticated call and can iterate: probing what text was synthesized to infer platform content, triggering repeated calls to inflate the organization's OpenAI TTS spend, or using the confirmed session state as a beachhead to enumerate other Flowise endpoints that share the same credential context and lack the same CORS override.