Low severityNVD Advisory· Published Mar 3, 2025· Updated Mar 3, 2025

Observable Response Discrepancy in flask-appbuilder

CVE-2025-24023

Description

Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
flask-appbuilderPyPI	< 4.5.3	4.5.3

Affected products

Dpgaspar/Flask Appbuilderv5
Range: < 4.5.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-p8q5-cvwx-wvwpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-24023ghsaADVISORY
github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwpghsax_refsource_CONFIRMWEB
github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2025-15.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000