{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tts/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Flowise"],"_cs_severities":["high"],"_cs_tags":["flowise","tts","api-abuse","unauthenticated-access"],"_cs_type":"advisory","_cs_vendors":["Flowise"],"content_html":"\u003cp\u003eFlowise is vulnerable to an unauthenticated API credit abuse issue affecting the text-to-speech (TTS) generation endpoint (\u003ccode\u003e/api/v1/text-to-speech/generate\u003c/code\u003e). This vulnerability exists because the endpoint is whitelisted and accepts a \u003ccode\u003ecredentialId\u003c/code\u003e directly within the request body. An attacker can exploit this by sending a POST request to the TTS endpoint with a valid \u003ccode\u003ecredentialId\u003c/code\u003e obtained from a victim, bypassing authentication checks when the \u003ccode\u003echatflowId\u003c/code\u003e is not provided. This allows unauthorized use of the victim's linked services such as OpenAI, ElevenLabs, Azure, or Google TTS services, leading to the depletion of API credits and the generation of arbitrary audio content at their cost. The vulnerability impacts Flowise versions up to and including version 3.0.13.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Flowise instance running version 3.0.13 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker gains knowledge of a valid \u003ccode\u003ecredentialId\u003c/code\u003e associated with a victim's linked TTS service (e.g., OpenAI, ElevenLabs). This might be through exposed API endpoints from a separate finding, or through other means.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to \u003ccode\u003e/api/v1/text-to-speech/generate\u003c/code\u003e, omitting the \u003ccode\u003echatflowId\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the attacker-controlled \u003ccode\u003ecredentialId\u003c/code\u003e in the body along with parameters for \u003ccode\u003eprovider\u003c/code\u003e, \u003ccode\u003evoice\u003c/code\u003e, and \u003ccode\u003emodel\u003c/code\u003e for the TTS generation.\u003c/li\u003e\n\u003cli\u003eThe vulnerable endpoint processes the request without authentication due to its whitelisted status in \u003ccode\u003epackages/server/src/utils/constants.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe endpoint utilizes the provided \u003ccode\u003ecredentialId\u003c/code\u003e to decrypt and use the stored API key for the specified TTS provider (OpenAI, ElevenLabs, etc.).\u003c/li\u003e\n\u003cli\u003eThe endpoint initiates TTS generation using the victim's API credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully generates speech content, consuming the victim's API credits without authorization, demonstrating abuse of resource-development capabilities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to use a victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization. This can result in the unauthorized consumption of API credits from the victim's account, potentially incurring significant financial costs. The attacker can generate unlimited speech content at the victim's expense, causing further financial strain and potential disruption of service. When combined with other vulnerabilities that expose credential IDs, the exploitability of this issue is greatly increased.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix by removing the TTS endpoint from \u003ccode\u003eWHITELIST_URLS\u003c/code\u003e in \u003ccode\u003epackages/server/src/utils/constants.ts\u003c/code\u003e or implement credential validation to ensure the \u003ccode\u003ecredentialId\u003c/code\u003e belongs to the chatflow being used.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/v1/text-to-speech/generate\u003c/code\u003e without a \u003ccode\u003echatflowId\u003c/code\u003e parameter as indicated in the rule \u0026quot;Detect Flowise Unauthenticated TTS Request\u0026quot;.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to any APIs or endpoints that may expose \u003ccode\u003ecredentialId\u003c/code\u003e values to prevent attackers from obtaining valid credentials for this exploit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-flowise-tts-bypass/","summary":"The Flowise text-to-speech generation endpoint is vulnerable to unauthorized access due to accepting arbitrary credential IDs in the request body, enabling attackers to use victim's API keys for services like OpenAI and ElevenLabs, consume their API credits, and generate unlimited speech content at the victim's expense; this affects Flowise versions 3.0.13 and earlier.","title":"Flowise Text-to-Speech API Credit Abuse via Unauthenticated Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-09-flowise-tts-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Tts","version":"https://jsonfeed.org/version/1.1"}