Skip to content

Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage #5901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
0xi4o merged 7 commits into from
Mar 23, 2026
Merged

Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage #5901

Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f174afd
Stop text-to-speach endpoint from accepting arbitrary creds
Mar 4, 2026
4fa923f
Merge branch 'main' of https://github.com/FlowiseAI/Flowise
Mar 4, 2026
97d0c8e
Stop text-to-speach endpoint from accepting arbitrary creds
Mar 4, 2026
c29271e
Merge branch 'main' into text-to-speach-fixes
yau-wd Mar 5, 2026
981ea47
Hardcoded CORS wildcard on TTS endpoint enables cross-origin credenti…
Mar 9, 2026
0fdbee0
Merge branch 'main' into text-to-speach-fixes
yau-wd Mar 10, 2026
357b9e3
add: allow tts in domain validation
0xi4o Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions packages/server/src/controllers/text-to-speech/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { convertTextToSpeechStream } from 'flowise-components'
import { StatusCodes } from 'http-status-codes'
import { InternalFlowiseError } from '../../errors/internalFlowiseError'
import chatflowsService from '../../services/chatflows'
import credentialsService from '../../services/credentials'
import textToSpeechService from '../../services/text-to-speech'
import { databaseEntities } from '../../utils'
import { getRunningExpressApp } from '../../utils/getRunningExpressApp'
Expand Down Expand Up @@ -56,6 +57,17 @@ const generateTextToSpeech = async (req: Request, res: Response) => {
voice = providerConfig.voice
model = providerConfig.model
} else {
// Body-supplied credentials require the caller to be authenticated
const workspaceId = req.user?.activeWorkspaceId
if (!workspaceId) {
return res.status(StatusCodes.UNAUTHORIZED).json({ message: 'Authentication required' })
}
if (!bodyCredentialId) {
return res.status(StatusCodes.BAD_REQUEST).json({ message: 'credentialId not provided' })
}
// Verify the credential belongs to the authenticated user's workspace —
// throws NOT_FOUND if the credential doesn't exist or belongs to another workspace
await credentialsService.getCredentialById(bodyCredentialId, workspaceId)
// Use TTS config from request body
provider = bodyProvider
credentialId = bodyCredentialId
Comment thread
christopherholland-workday marked this conversation as resolved.
Outdated
Expand All @@ -80,8 +92,6 @@ const generateTextToSpeech = async (req: Request, res: Response) => {
res.setHeader('Content-Type', 'text/event-stream')
res.setHeader('Cache-Control', 'no-cache')
res.setHeader('Connection', 'keep-alive')
res.setHeader('Access-Control-Allow-Origin', '*')
res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')

const appServer = getRunningExpressApp()
const options = {
Expand Down