CVE-2025-24023: Observable Response Discrepancy in flask-appbuilder

3.7 CVSS

Description

Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.

Classification

CVE ID: CVE-2025-24023

CVSS Base Severity: LOW

CVSS Base Score: 3.7

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-204: Observable Response Discrepancy

Affected Products

Vendor: dpgaspar

Product: Flask-AppBuilder

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 10.9% (scored less or equal to compared to others)

EPSS Date: 2025-04-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-24023
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp

Timeline

2025-03-03 16:40:11 UTC
CVE

Observable Response Discrepancy in flask-appbuilder