Launch Week Day 1: Announcing Security Design Review
Start for Free
UNKNOWN npm

Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage

GHSA-m837-xvxr-vqwg

Published · Modified

Description

Summary

The TTS generation endpoint sets Access-Control-Allow-Origin: * as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials.

Root Cause

// packages/server/src/controllers/text-to-speech/index.ts:83
res.setHeader('Access-Control-Allow-Origin', '*')
res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')

Impact

  • Cross-origin credential abuse — any webpage can trigger TTS using stored credentials
  • Bypasses the server's CORS policy (getCorsOptions()) which is otherwise restrictive by default
  • Combined with Finding 3 (TTS credential abuse), enables drive-by credential abuse via malicious webpages

Suggested Fix

Remove the hardcoded CORS wildcard and let the server's CORS middleware handle the headers:

// Remove these lines:
// res.setHeader('Access-Control-Allow-Origin', '*')
// res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')

References

  • packages/server/src/controllers/text-to-speech/index.ts line 83

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes