CVE-2025-32962Open Redirect in Flask-appbuilder

CWE-601Open Redirect4 documents4 sources
Severity
6.1MEDIUMNVD
CNA4.3
EPSS
0.2%
top 58.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Dpgaspar Flask-appbuilder
Timeline
PublishedMay 16

Description

Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_REDIRECT_HOSTS` configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. As a workaround, use a reverse proxy to enforce trusted host headers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

CVEListV5dpgaspar/flask-appbuilder< 4.6.2

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Flask-AppBuilder open redirect vulnerability using HTTP host injection2025-05-16
GHSA
Flask-AppBuilder open redirect vulnerability using HTTP host injection2025-05-16
CVEList
Flask-AppBuilder open redirect vulnerability using HTTP host injection2025-05-16
CVE-2025-32962 — Open Redirect in Flask-appbuilder | cvebase