-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| flowise | npm | < 3.0.10 | 3.0.10 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability lies in the application's failure to invalidate existing user sessions after a password change or reset. This allows an attacker who has compromised a user's session to maintain access even after the legitimate user changes their credentials. The analysis of the provided pull request and its associated commits reveals that the fix involves terminating all active sessions for a user when their password is changed or reset.
The key commit c956b3562d24fd0df9146a4605eb92cc62e1646f introduces a new function, destroyAllSessionsForUser, which is responsible for clearing out all session data for a given user from the session store (either Redis or a database).
This new function is then called in two critical locations:
UserService.updateUser: This function is called when a user changes their own password. The patch adds logic to call destroyAllSessionsForUser immediately after the password has been successfully updated.AccountService.resetPassword: This function is used for password resets (e.g., via a "forgot password" link). The patch was updated to call destroyAllSessionsForUser after the new password has been set.Prior to these changes, both updateUser and resetPassword would only update the password hash in the database, leaving existing session tokens valid. By identifying where the session invalidation logic was added, we can pinpoint the exact functions that were vulnerable.
UserService.updateUserpackages/server/src/enterprise/services/user.service.ts
AccountService.resetPasswordpackages/server/src/enterprise/services/account.service.ts
Ongoing coverage of React2Shell