VYPR
Moderate severityNVD Advisory· Published May 16, 2025· Updated May 16, 2025

Flask-AppBuilder open redirect vulnerability using HTTP host injection

CVE-2025-32962

Description

Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. As a workaround, use a reverse proxy to enforce trusted host headers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
flask-appbuilderPyPI
< 4.6.24.6.2

Affected products

19

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.