<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tts - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/tts/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/tts/feed.xml" rel="self" type="application/rss+xml"/><item><title>Flowise Text-to-Speech API Credit Abuse via Unauthenticated Endpoint</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-flowise-tts-bypass/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-flowise-tts-bypass/</guid><description>The Flowise text-to-speech generation endpoint is vulnerable to unauthorized access due to accepting arbitrary credential IDs in the request body, enabling attackers to use victim's API keys for services like OpenAI and ElevenLabs, consume their API credits, and generate unlimited speech content at the victim's expense; this affects Flowise versions 3.0.13 and earlier.</description><content:encoded><![CDATA[<p>Flowise is vulnerable to an unauthenticated API credit abuse issue affecting the text-to-speech (TTS) generation endpoint (<code>/api/v1/text-to-speech/generate</code>). This vulnerability exists because the endpoint is whitelisted and accepts a <code>credentialId</code> directly within the request body. An attacker can exploit this by sending a POST request to the TTS endpoint with a valid <code>credentialId</code> obtained from a victim, bypassing authentication checks when the <code>chatflowId</code> is not provided. This allows unauthorized use of the victim's linked services such as OpenAI, ElevenLabs, Azure, or Google TTS services, leading to the depletion of API credits and the generation of arbitrary audio content at their cost. The vulnerability impacts Flowise versions up to and including version 3.0.13.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable Flowise instance running version 3.0.13 or earlier.</li>
<li>Attacker gains knowledge of a valid <code>credentialId</code> associated with a victim's linked TTS service (e.g., OpenAI, ElevenLabs). This might be through exposed API endpoints from a separate finding, or through other means.</li>
<li>Attacker crafts a POST request to <code>/api/v1/text-to-speech/generate</code>, omitting the <code>chatflowId</code> parameter.</li>
<li>The POST request includes the attacker-controlled <code>credentialId</code> in the body along with parameters for <code>provider</code>, <code>voice</code>, and <code>model</code> for the TTS generation.</li>
<li>The vulnerable endpoint processes the request without authentication due to its whitelisted status in <code>packages/server/src/utils/constants.ts</code>.</li>
<li>The endpoint utilizes the provided <code>credentialId</code> to decrypt and use the stored API key for the specified TTS provider (OpenAI, ElevenLabs, etc.).</li>
<li>The endpoint initiates TTS generation using the victim's API credentials.</li>
<li>The attacker successfully generates speech content, consuming the victim's API credits without authorization, demonstrating abuse of resource-development capabilities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to use a victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization. This can result in the unauthorized consumption of API credits from the victim's account, potentially incurring significant financial costs. The attacker can generate unlimited speech content at the victim's expense, causing further financial strain and potential disruption of service. When combined with other vulnerabilities that expose credential IDs, the exploitability of this issue is greatly increased.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the suggested fix by removing the TTS endpoint from <code>WHITELIST_URLS</code> in <code>packages/server/src/utils/constants.ts</code> or implement credential validation to ensure the <code>credentialId</code> belongs to the chatflow being used.</li>
<li>Monitor web server logs for POST requests to <code>/api/v1/text-to-speech/generate</code> without a <code>chatflowId</code> parameter as indicated in the rule &quot;Detect Flowise Unauthenticated TTS Request&quot;.</li>
<li>Review and restrict access to any APIs or endpoints that may expose <code>credentialId</code> values to prevent attackers from obtaining valid credentials for this exploit.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>flowise</category><category>tts</category><category>api-abuse</category><category>unauthenticated-access</category></item></channel></rss>