ГлавнаяУязвимости → CVE-2025-71335
8.1высокая

CVE-2025-71335

Описание

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.

Затрагиваемое ПО
Flowiseai Flowise
CVSS
Балл8.1 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Источники
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x7rp-qj2h-ghgwhttps://www.vulncheck.com/advisories/flowise-session-invalidation-failure-after-password-change