Moderate severityNVD Advisory· Published May 16, 2025· Updated May 16, 2025
Flask-AppBuilder open redirect vulnerability using HTTP host injection
CVE-2025-32962
Description
Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. As a workaround, use a reverse proxy to enforce trusted host headers.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flask-appbuilderPyPI | < 4.6.2 | 4.6.2 |
Affected products
1- Range: < 4.6.2
Patches
132eedbbb5cb4fix: change SAFE_REDIRECT_HOSTS to FAB_SAFE_REDIRECT_HOSTS (#2335)
3 files changed · +8 −4
docs/config.rst+4 −0 modified@@ -330,10 +330,14 @@ Use config.py to configure the following parameters. By default it will use SQLL | | `generate_password_hash`_. | No | | | Default: ``'scrypt'``. | | +----------------------------------------+--------------------------------------------+-----------+ +| FAB_SAFE_REDIRECT_HOSTS | A List[str] with allowed domains to check | | +| | when validating safe redirect | No | ++----------------------------------------+--------------------------------------------+-----------+ | FAB_PASSWORD_HASH_SALT_LENGTH | Sets the password hashing salt length. | No | | | Default: ``16``. | | +----------------------------------------+--------------------------------------------+-----------+ + .. _generate_password_hash: https://werkzeug.palletsprojects.com/en/stable/utils/#werkzeug.security.generate_password_hash Note
flask_appbuilder/utils/base.py+1 −1 modified@@ -29,7 +29,7 @@ def is_safe_redirect_url(url: str) -> bool: scheme = "http" valid_schemes = ["http", "https"] - safe_hosts = current_app.config.get("SAFE_REDIRECT_HOSTS", []) + safe_hosts = current_app.config.get("FAB_SAFE_REDIRECT_HOSTS", []) if not safe_hosts: safe_hosts = [urlparse(request.host_url).netloc]
tests/security/test_mvc_security.py+3 −3 modified@@ -249,7 +249,7 @@ def test_login_next_url_spoofed_host_header_disallowed(self): """ Ensure a spoofed Host header does not allow redirection to an untrusted domain """ - self.app.config["SAFE_REDIRECT_HOSTS"] = ["localhost"] # trusted dev host + self.app.config["FAB_SAFE_REDIRECT_HOSTS"] = ["localhost"] # trusted dev host self.browser_logout(self.client) response = self.browser_login( @@ -268,7 +268,7 @@ def test_login_next_url_spoofed_host_header_allowed_config(self): """ Ensure a spoofed Host header does not allow redirection to an untrusted domain """ - self.app.config["SAFE_REDIRECT_HOSTS"] = ["localhost"] # trusted dev host + self.app.config["FAB_SAFE_REDIRECT_HOSTS"] = ["localhost"] # trusted dev host self.browser_logout(self.client) response = self.browser_login( @@ -287,7 +287,7 @@ def test_login_next_url_allowed_config_wildcard(self): """ Ensure a spoofed Host header does not allow redirection to an untrusted domain """ - self.app.config["SAFE_REDIRECT_HOSTS"] = ["*.localhost"] # trusted dev host + self.app.config["FAB_SAFE_REDIRECT_HOSTS"] = ["*.localhost"] # trusted dev host self.browser_logout(self.client) response = self.browser_login(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-99pm-ch96-ccp2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32962ghsaADVISORY
- github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6ghsax_refsource_MISCWEB
- github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.