Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests.
Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection.
Examples:
FAB_SAFE_REDIRECT_HOSTS = ["yourdomain.com", "sub.yourdomain.com", "*.yourcompany.com"]
Use a Reverse Proxy to Enforce Trusted Host Headers
Are there any links users can visit to find out more?
| Score | Percentile |
|---|---|
| 0.20% | 41.71% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.3 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-99pm-ch96-ccp2 ↗ |
| CVE | CVE-2025-32962 ↗ |
| CWE id | Name |
|---|---|
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | flask-appbuilder | < 4.6.2 | 4.6.2 | — |