GHSA-7g73-99r4-m4mj
FlowiseAI Vulnerable to Credential Data Leak
Details
**Severity**: HIGH (CVSS ~7.5) **Type**: CWE-200 (Exposure of Sensitive Information) **File**: `packages/server/src/services/credentials/index.ts:62-71`
**Description**: When credentials are fetched with a `credentialName` filter parameter, the `encryptedData` field is NOT stripped from the response. The code properly omits `encryptedData` when NO filter is used (line 102) but fails to do so when a filter IS used (lines 62-63, 70-71). Credential Data Leak **Evidence**: ```typescript // Lines 62-63: WITH filter - encryptedData LEAKED const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions) dbResponse.push(...credentials) // encryptedData NOT removed!
// Lines 100-102: WITHOUT filter - encryptedData properly omitted for (const credential of credentials) { dbResponse.push(omit(credential, ['encryptedData'])) // Correctly omitted } ```
**Impact**: Authenticated users can extract encrypted credential data (API keys, passwords, tokens for services like OpenAI, AWS, etc.). Combined with access to the encryption key file (`~/.flowise/encryption.key` written with default permissions), this enables full credential theft.
**Reproduction**: ```bash curl https://TARGET/api/v1/credentials?credentialName=openAIApi \ -H "Authorization: Bearer API_KEY" # Response includes encryptedData field with AES-encrypted credentials ```
Are you affected?
Enter the version of the package you're using.