CVE-2025-71328 Flowise CVE debrief

Who should care

Security teams and administrators responsible for Flowise deployments should be aware of this vulnerability. Given the high severity and potential for account takeover, immediate attention is required to update Flowise to version 3.0.10 or later. Additionally, users of Flowise should be cautious of potential phishing or session hijacking attacks that could exploit this vulnerability.

Technical summary

The vulnerability exists in Flowise versions prior to 3.0.10. An authenticated user can change their password without providing the current password, as the application lacks a current-password check. This is a critical issue because it allows for unauthorized changes to user accounts, potentially leading to account takeovers. The CVSS:4.0 vector for this vulnerability is AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a high severity score of 8.7.

Defensive priority

High priority should be given to updating Flowise to version 3.0.10 or later. In the meantime, defenders should monitor for suspicious account activity and consider implementing additional authentication measures for sensitive operations.

Recommended defensive actions

• Update Flowise to version 3.0.10 or later immediately.
• Monitor for suspicious account activity and password changes.
• Consider implementing multi-factor authentication for added security.
• Review and adjust session management and authentication policies.
• Educate users about the risks of phishing and session hijacking.

Evidence notes

The CVE-2025-71328 entry in the National Vulnerability Database (NVD) provides detailed information about this vulnerability, including its CVSS score and vector. The vendor advisory on GitHub also offers insights into the vulnerability and mitigation strategies.

Official resources