CVE-2025-71335
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
Flowise before version 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials.
Risk Assessment
The risk is that changing the password does not protect against an attacker who has already hijacked a session, allowing continued unauthorized access to the user's account and data.
Recommendation
Immediately upgrade Flowise to version 3.0.10 or later, which includes a fix to invalidate sessions after a password change.
Original NVD description (English source)
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.

