CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-32962: Flask-AppBuilder open redirect vulnerability using HTTP host injection

4.3 CVSS

Description

Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_REDIRECT_HOSTS` configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. As a workaround, use a reverse proxy to enforce trusted host headers.

Classification

CVE ID: CVE-2025-32962

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Problem Types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Affected Products

Vendor: dpgaspar

Product: Flask-AppBuilder

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.16% (scored less or equal to compared to others)

EPSS Date: 2025-06-14 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32962
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2
https://github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6

Timeline

2025-05-16 14:40:11 UTC
CVE

Flask-AppBuilder open redirect vulnerability using HTTP host injection
2025-05-16 18:15:46 UTC
Github Advisory Database (PIP)

[flask-appbuilder] Flask-AppBuilder open redirect vulnerability using HTTP host injection