Moderate severityNVD Advisory· Published May 16, 2025· Updated May 16, 2025
Flask-AppBuilder open redirect vulnerability using HTTP host injection
CVE-2025-32962
Description
Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. As a workaround, use a reverse proxy to enforce trusted host headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flask-appbuilderPyPI | < 4.6.2 | 4.6.2 |
Affected products
19- osv-coords18 versionspkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-3-bitnami-compatpkg:apk/chainguard/airflow-3-compatpkg:apk/chainguard/airflow-3-iamguarded-compatpkg:apk/chainguard/airflow-core-2pkg:apk/chainguard/supersetpkg:apk/chainguard/superset-cipkg:apk/chainguard/superset-entrypointpkg:apk/chainguard/superset-iamguarded-compatpkg:apk/wolfi/airflow-3pkg:apk/wolfi/airflow-3-bitnami-compatpkg:apk/wolfi/airflow-3-compatpkg:apk/wolfi/airflow-3-iamguarded-compatpkg:apk/wolfi/supersetpkg:apk/wolfi/superset-cipkg:apk/wolfi/superset-entrypointpkg:apk/wolfi/superset-iamguarded-compatpkg:pypi/flask-appbuilder
< 3.0.1-r1+ 17 more
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 2.11.2-r5
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 3.0.1-r1
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.6.2
- Range: < 4.6.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-99pm-ch96-ccp2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32962ghsaADVISORY
- github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6ghsax_refsource_MISCWEB
- github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.