alert http $HOME_NET any -> any any (msg:"ET INFO Flowise Exposed User tempToken"; flow:established,to_client; http.response_body; content:"|22|user|22 3a|"; content:"|22|tempToken|22 3a|"; fast_pattern; content:"|22|tokenExpiry|22 3a|"; reference:url,github.com/advisories/GHSA-wgpv-6j63-x5ph; classtype:misc-activity; sid:2065965; rev:3; metadata:affected_product Flowise, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_01, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_20; target:dest_ip;)