Executive Summary

CVE-2025-71337 is a vulnerability in Flowise versions 3.0.7 and earlier that allows an authenticated user to change their account email address without verifying the change through the original email or re-entering the current password.

Since the email address is used as both the login identifier and the password recovery channel, this flaw enables an attacker to take over the account by changing the recovery email and abusing password reset mechanisms.

The vulnerability is classified as high severity with CVSS scores of 8.7 (v4.0) and 8.3 (v3.1), and it was fixed in Flowise version 3.0.10.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to take over user accounts by changing the account email address without verification, which can lead to unauthorized access to personal data.

Such unauthorized access and potential data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over user authentication and protection of personal information.

Specifically, the failure to verify email changes and the ability to abuse password reset mechanisms undermine the integrity and confidentiality of user data, increasing the risk of data exposure and violating regulatory requirements for secure identity management.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to full account takeover (ATO) by an attacker who exploits the ability to change the account's email address without verification.

Once the attacker changes the recovery email, they can abuse password reset mechanisms to gain unauthorized access to the victim's account.

The attack requires only low privileges and no user interaction, making it highly exploitable remotely and posing significant risks to confidentiality and integrity of user accounts.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or suspicious changes to user email addresses via the account profile endpoint in Flowise versions 3.0.7 and earlier.

Since the vulnerability allows an authenticated user to change their email without verification, you can check server logs or audit trails for POST or PATCH requests to the account profile endpoint that modify the email field without corresponding password verification events.

Commands to assist detection might include searching web server logs for such requests. For example, using grep on access logs:

• grep -i 'POST /account/profile' /var/log/nginx/access.log | grep 'email='
• grep -i 'PATCH /account/profile' /var/log/nginx/access.log | grep 'email='

Additionally, monitoring for changes in user email addresses in the database without corresponding password verification or confirmation events can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Flowise to version 3.0.10 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the account profile endpoint to trusted users only and monitor for suspicious email change activities.

Implement additional verification steps for email changes, such as requiring confirmation via the original email address or re-entering the current password, if possible through custom controls or temporary patches.

Review and tighten authentication and authorization controls to limit the ability of low-privilege users to modify critical account information.

Useful 0 Not Useful 0