GHSA-m837-xvxr-vqwg
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
Details
### Summary
The TTS generation endpoint sets `Access-Control-Allow-Origin: *` as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials.
### Root Cause
```typescript // packages/server/src/controllers/text-to-speech/index.ts:83 res.setHeader('Access-Control-Allow-Origin', '*') res.setHeader('Access-Control-Allow-Headers', 'Cache-Control') ```
### Impact
- Cross-origin credential abuse — any webpage can trigger TTS using stored credentials - Bypasses the server's CORS policy (`getCorsOptions()`) which is otherwise restrictive by default - Combined with Finding 3 (TTS credential abuse), enables drive-by credential abuse via malicious webpages
### Suggested Fix
Remove the hardcoded CORS wildcard and let the server's CORS middleware handle the headers:
```typescript // Remove these lines: // res.setHeader('Access-Control-Allow-Origin', '*') // res.setHeader('Access-Control-Allow-Headers', 'Cache-Control') ```
---
## References
- `packages/server/src/controllers/text-to-speech/index.ts` line 83
Are you affected?
Enter the version of the package you're using.