CVE-2025-32962

Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_REDIRECT_HOSTS` configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. As a workaround, use a reverse proxy to enforce trusted host headers.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6	Patch
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dpgaspar:flask-appbuilder:*:*:*:*:*:*:*:*

History

19 Sep 2025, 18:04

Type	Values Removed	Values Added
Summary		(es) Flask-AppBuilder es un framework de desarrollo de aplicaciones basado en Flask. Las versiones anteriores a la 4.6.2 permitían que un agente malicioso no autenticado realizara una redirección abierta manipulando el encabezado Host en las solicitudes HTTP. Flask-AppBuilder 4.6.2 introdujo la variable de configuración `FAB_SAFE_REDIRECT_HOSTS`, que permite a los administradores definir explícitamente qué dominios se consideran seguros para la redirección. Como workaround, utilice un proxy inverso para aplicar encabezados de host de confianza.
First Time		Dpgaspar Dpgaspar flask-appbuilder
CPE		cpe:2.3:a:dpgaspar:flask-appbuilder::::::::
References	~~() https://github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6 -~~	() https://github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6 - Patch
References	~~() https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2 -~~	() https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2 - Vendor Advisory

16 May 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-16 14:15

Updated : 2025-09-19 18:04

NVD link : CVE-2025-32962

Mitre link : CVE-2025-32962

CVE.ORG link : CVE-2025-32962

JSON object : View

Products Affected

dpgaspar

flask-appbuilder

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

4.3 /10