CVE-2025-32962
MEDIUM EPSS 9.0%
Published May 16, 20251y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Published May 16, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
Description
Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_REDIRECT_HOSTS` configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. As a workaround, use a reverse proxy to enforce trusted host headers.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
9.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-601
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| dpgaspar | flask-appbuilder | * | <4.6.2 |
References 2
- github.com https://github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6
- github.com https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2
Remediation
- github.com https://github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6