CVE-2025-71337 Flowise CVE debrief

Who should care

Security teams and administrators responsible for Flowise installations should prioritize patching this vulnerability. Given the HIGH severity and potential for account takeover, defenders should treat affected systems as high-risk and verify that the patch has been applied. Additionally, defenders may want to monitor for suspicious account activity.

Technical summary

The vulnerability exists in the account profile endpoint of Flowise, allowing an authenticated user to change the email address associated with their account without proper verification. This can be exploited by an attacker to gain control of the account. The issue is resolved in Flowise version 3.0.10. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Patch Flowise to version 3.0.10 or later immediately. Verify that all affected systems have been updated and monitor for suspicious account activity.

Recommended defensive actions

• Patch Flowise to version 3.0.10 or later
• Verify that all affected systems have been updated
• Monitor for suspicious account activity
• Restrict access to the account profile endpoint
• Implement additional authentication mechanisms for email changes

Evidence notes

The CVE-2025-71337 vulnerability details were obtained from the NVD and CVE.org. The vulnerability affects Flowise versions 3.0.7 and earlier. The CVSS score is 8.7, indicating a HIGH severity vulnerability. A patch is available in Flowise version 3.0.10.

Official resources