Vulnerability Description
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x7rp-qj2h-ghgw
- https://www.vulncheck.com/advisories/flowise-session-invalidation-failure-after-
FAQ
What is CVE-2025-71335?
CVE-2025-71335 is a vulnerability with a CVSS score of 8.1 (HIGH). Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active sessio...
How severe is CVE-2025-71335?
CVE-2025-71335 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-71335?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.