CVE-2025-58065 | Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods

Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.

Published: 2025-09-11 Last update: 2025-09-24 Assigner: [email protected] Source: [email protected]

NVD Status：Analyzed，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2025-58065

EPSS CVSS CWE GHSA Affected

Conclusion & alert: CVE-2025-58065 is rated Low Risk (28.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.03%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-58065

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-11-21	0.10%	0.03%	-0.07%
2	2025-11-18	0.03%	0.10%	+0.07%
3	2025-10-17	—	0.03%	—

Full EPSS history (4 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-58065

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.5	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:N) Service keeps running; no real outage angle.	2.8	3.6	[email protected]

Weakness enumeration for CVE-2025-58065

CWE-287 MITRE ↗

GitHub Security Advisory for CVE-2025-58065

GHSA-765j-9r45-w2q2 · Severity: medium · Ecosystem: pip — Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods

Affected software / configurations for CVE-2025-58065

Vendor	Product	Version	Raw CPE
dpgaspar	flask-appbuilder	< 4.8.1	cpe:2.3:a:dpgaspar:flask-appbuilder::::::::

References for CVE-2025-58065

URL	Tags
https://github.com/dpgaspar/Flask-AppBuilder/commit/a942a9cc5775752f9a02f97fd8198dd288fa93ee	Patch
https://github.com/dpgaspar/Flask-AppBuilder/pull/2384	Issue Tracking Patch
https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.8.1	Release Notes
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-765j-9r45-w2q2	Vendor Advisory

cvelogic Threat Intelligence