Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-99pm-ch96-ccp2: Flask-AppBuilder open redirect vulnerability using HTTP host injection

Impact

Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests.

Patches

Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection.

Examples:

FAB_SAFE_REDIRECT_HOSTS = ["yourdomain.com", "sub.yourdomain.com", "*.yourcompany.com"]

Workarounds

Use a Reverse Proxy to Enforce Trusted Host Headers

References

Are there any links users can visit to find out more?

ghsa
#vulnerability#auth

Impact

Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests.

Patches

Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection.

Examples:

FAB_SAFE_REDIRECT_HOSTS = ["yourdomain.com", "sub.yourdomain.com", "*.yourcompany.com"]

Workarounds

Use a Reverse Proxy to Enforce Trusted Host Headers

References

Are there any links users can visit to find out more?

References

  • GHSA-99pm-ch96-ccp2
  • https://nvd.nist.gov/vuln/detail/CVE-2025-32962
  • dpgaspar/Flask-AppBuilder@32eedbb

ghsa: Latest News

GHSA-3m86-c9x3-vwm9: Graylog vulnerable to privilege escalation through API tokens