Listen to this Post
How the mentioned CVE works:
The vulnerability exists in the GET /api/v1/public-chatflows/:id endpoint. When a public chatflow is requested, the server returns the full chatflow object without any sanitization. The root cause is in packages/server/src/controllers/chatflows/index.ts lines 218-220. The code fetches the chatflow by ID, checks if it exists, and then if isPublic is true, it returns the entire chatflow object directly. No filtering or stripping of sensitive fields occurs. Docker validation on version v3.0.13 confirmed that the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released image. An attacker can create a public chatflow containing credential IDs, plaintext API keys, and password-type fields inside flowData. For example, flowData includes nodes with credential UUIDs and inputs like password and apiKey. The endpoint returns all this raw data. Additionally, the public-chatbotConfig endpoint suffers from the same issue. Even in the unreleased HEAD, only public-chatbotConfig calls the sanitization function, while public-chatflows never does. Thus, both endpoints leak credential IDs (enabling OAuth2 token theft), plaintext API keys, third-party account compromise, and internal node configurations. The suggested fix is to apply sanitization to both endpoints by calling sanitizeFlowDataForPublicEndpoint and stripping all credential, password, apiKey, and secretKey fields from flowData.
dailycve form:
Platform: Flowise
Version: 3.0.13
Vulnerability: Unauthenticated info leak
Severity: Critical
date: 2025-03-12
Prediction: 2025-04-15
What Undercode Say:
Check if vulnerable endpoint exposes credentials curl -s https://target.com/api/v1/public-chatflows/123 | jq '.flowData' Extract credential IDs from leaked flowData curl -s https://target.com/api/v1/public-chatflows/123 | jq '.flowData' | grep -oE '"credential":"[^"]"' Dump plaintext API keys curl -s https://target.com/api/v1/public-chatflows/123 | jq '.flowData' | grep -oE '"apiKey":"[^"]"' Test public-chatbotConfig endpoint as well curl -s https://target.com/api/v1/public-chatbotConfig/123 | jq '.flowData'
How Exploit:
- Identify any public chatflow ID (e.g., via enumeration or sharing links).
2. Send GET request to /api/v1/public-chatflows/.
3. Parse the JSON response, specifically flowData field.
- Extract credential UUIDs, apiKey, password, and secretKey values.
- Use leaked API keys to access third-party services (OpenAI, etc.).
- Use credential IDs to attempt OAuth2 token replay or further attacks.
Protection from this CVE:
- Upgrade to a patched version once available (beyond v3.0.13).
- Apply the fix: In index.ts lines 218-220, replace raw return with sanitized version.
- Implement middleware to strip credential, apiKey, password, secretKey from flowData for all public endpoints.
- If unable to patch, set all chatflows to non-public until fix is applied.
- Block external access to /api/v1/public-chatflows/ and /api/v1/public-chatbotConfig/ via WAF or reverse proxy.
Impact:
- Leaked credential IDs enable OAuth2 token theft and session hijacking.
- Plaintext API keys lead to direct compromise of external AI/LLM provider accounts.
- Exposed node configurations reveal internal architecture, endpoints, and business logic.
- Both public-chatflows and public-chatbotConfig are affected, amplifying attack surface.
- Unauthenticated access allows any external attacker to steal sensitive data without privileges.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

