GHSA-x7rp-qj2h-ghgw

Suggest an improvement
Source
https://github.com/advisories/GHSA-x7rp-qj2h-ghgw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-x7rp-qj2h-ghgw/GHSA-x7rp-qj2h-ghgw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x7rp-qj2h-ghgw
Published
2025-11-14T20:50:36Z
Modified
2025-11-14T20:50:36Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Flowise Fails to Invalidate Existing Sessions After Password Changes
Details

Summary

Failure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure).

Details

After a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who already has an active session (e.g., via a stolen session token, device left logged in, or other access) continues to be authenticated even after the legitimate user rotates credentials, allowing the attacker to retain access despite the user’s password change.

PoC

Repro steps: 1. As logged in user on two browsers (ie. Chrome and Firefox, with incognito/private mode) https://cloud.flowiseai.com/account change password, on the Chrome for example 2. Refresh the site on Firefox (second browser) - notice that still logged in (despite credentials were changed)

POC: Steps described above (in Repro steps) completed successfully.

Impact

Persistent unauthorized access despite credential rotation - undermines the primary purpose of password changes as a remediation step. Enables attackers with an active session (remote or physical access to a device) to continue acting as the user (confidentiality and integrity impact). If session tokens are not bound to the credential state, forced password changes won’t terminate attacker sessions.

Resources OWASP Session Management Cheat Sheet CWE-613: Insufficient Session Expiration

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-613"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T20:50:36Z"
}
References

Affected packages

npm / flowise

Package

Name
flowise
View open source insights on deps.dev
Purl
pkg:npm/flowise

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.10

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-x7rp-qj2h-ghgw/GHSA-x7rp-qj2h-ghgw.json"