{"id":75979,"date":"2025-09-18T18:54:48","date_gmt":"2025-09-18T18:54:48","guid":{"rendered":""},"modified":"2025-10-25T14:23:32","modified_gmt":"2025-10-25T20:23:32","slug":"cve-2025-58434-unauthenticated-password-reset-exploit-in-flowise","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-58434-unauthenticated-password-reset-exploit-in-flowise\/","title":{"rendered":"CVE-2025-58434: Unauthenticated Password Reset Exploit in Flowise<\/strong>"},"content":{"rendered":"

Overview<\/strong><\/p>\n

CVE-2025-58434 is a serious vulnerability found in the `forgot-password` endpoint of Flowise, a drag & drop user interface used to build customized large language model flows. In earlier versions, specifically version 3.0.5 and below, this endpoint has been found to return sensitive information, including a valid password reset `tempToken`, without any form of authentication or verification. This vulnerability paves the way for potential<\/a> attackers to generate a reset token for any user, thereby enabling them to reset the user’s password and take over the account. This vulnerability is especially significant given Flowise’s widespread use in both cloud service (`cloud.flowiseai.com`) and self-hosted\/local deployments.<\/p>\n

Vulnerability Summary<\/strong><\/p>\n

CVE ID: CVE-2025-58434
\nSeverity: Critical (9.8)
\nAttack Vector: Network
\nPrivileges Required: None
\nUser Interaction: None
\nImpact: Potential system<\/a> compromise or data leakage<\/p>\n

Affected Products<\/strong><\/p>

\r\n

\r\n \r\n \"Ameeba\r\n <\/a>\r\n A new way to communicate\r\n <\/h2>\r\n\r\n

\r\n Ameeba Chat is built on encrypted identity, not personal profiles.\r\n <\/p>\r\n\r\n

\r\n Message, call, share files, and coordinate with identities kept separate.\r\n <\/p>\r\n\r\n