PT-2026-45133 · Npm · Flowise
Publicado
2026-05-20
·
Atualizado
2026-05-20
CVSS v4.0
6.9
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
The TTS generation endpoint sets
Access-Control-Allow-Origin: * as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials.Root Cause
typescript
// packages/server/src/controllers/text-to-speech/index.ts:83
res.setHeader('Access-Control-Allow-Origin', '*')
res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')Impact
- Cross-origin credential abuse — any webpage can trigger TTS using stored credentials
- Bypasses the server's CORS policy (
getCorsOptions()) which is otherwise restrictive by default - Combined with Finding 3 (TTS credential abuse), enables drive-by credential abuse via malicious webpages
Suggested Fix
Remove the hardcoded CORS wildcard and let the server's CORS middleware handle the headers:
typescript
// Remove these lines:
// res.setHeader('Access-Control-Allow-Origin', '*')
// res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')References
packages/server/src/controllers/text-to-speech/index.tsline 83
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Flowise