GHSA-99pm-ch96-ccp2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-99pm-ch96-ccp2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-99pm-ch96-ccp2/GHSA-99pm-ch96-ccp2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-99pm-ch96-ccp2
- Aliases
- Related
- Published
- 2025-05-16T17:28:25Z
- Modified
- 2025-05-16T18:28:39.495984Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Flask-AppBuilder open redirect vulnerability using HTTP host injection
- Details
-
Impact
Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests.
Patches
Flask-AppBuilder 4.6.2 introduced the
FAB_SAFE_REDIRECT_HOSTSconfiguration variable, which allows administrators to explicitly define which domains are considered safe for redirection.Examples:
FAB_SAFE_REDIRECT_HOSTS = ["yourdomain.com", "sub.yourdomain.com", "*.yourcompany.com"]Workarounds
Use a Reverse Proxy to Enforce Trusted Host Headers
References
Are there any links users can visit to find out more?
- Database specific
{ "nvd_published_at": "2025-05-16T14:15:31Z", "cwe_ids": [ "CWE-601" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-05-16T17:28:25Z" }- References
Affected packages
PyPI / flask-appbuilder
Package
- Name
- flask-appbuilder
- View open source insights on deps.dev
- Purl
- pkg:pypi/flask-appbuilder
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.6.2
Affected versions
0.*
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.1.28
0.1.29
0.1.33
0.1.34
0.1.35
0.1.36
0.1.37
0.1.38
0.1.43
0.1.44
0.1.45
0.1.46
0.1.47
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0
1.7.1
1.8.0
1.8.1
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.10.0
1.11.0
1.11.1
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.13.0
1.13.1
2.*
2.0.0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.2.0rc1
2.2.0rc2
2.2.0
2.2.1rc1
2.2.1rc2
2.2.1rc3
2.2.1
2.2.2rc1
2.2.2rc2
2.2.2rc3
2.2.2
2.2.3rc1
2.2.3rc2
2.2.3rc3
2.2.3rc4
2.2.3rc5
2.2.3rc6
2.2.3
2.2.4rc1
2.2.4
2.3.0rc1
2.3.0rc2
2.3.0rc3
2.3.0rc4
2.3.0
2.3.1rc1
2.3.1
2.3.2rc1
2.3.2
2.3.3rc1
2.3.3rc2
2.3.3rc3
2.3.3
2.3.4rc1
2.3.4
3.*
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0
3.0.1rc1
3.0.1
3.1.0rc1
3.1.0rc2
3.1.0rc3
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1rc3
3.1.1
3.2.0rc1
3.2.0rc2
3.2.0
3.2.1rc1
3.2.1
3.2.2rc1
3.2.2
3.2.3rc1
3.2.3rc2
3.2.3
3.3.0rc1
3.3.0
3.3.1rc1
3.3.1
3.3.2rc1
3.3.2
3.3.3rc1
3.3.3
3.3.4rc1
3.3.4
3.4.0rc1
3.4.0rc2
3.4.0
3.4.1rc1
3.4.1rc2
3.4.1rc3
3.4.1
3.4.2rc1
3.4.2
3.4.3rc1
3.4.3rc2
3.4.3
3.4.4rc1
3.4.4
3.4.5rc1
3.4.5
4.*
4.0.0rc1
4.0.0rc2
4.0.0rc3
4.0.0
4.0.1rc1
4.1.0
4.1.1rc1
4.1.1
4.1.2rc1
4.1.2
4.1.3rc1
4.1.3
4.1.4rc1
4.1.4
4.1.5rc1
4.1.5
4.1.6rc1
4.1.6
4.1.7rc1
4.2.0rc1
4.2.0
4.2.1rc1
4.2.1
4.2.2rc1
4.3.0rc1
4.3.0
4.3.1rc1
4.3.1
4.3.2rc1
4.3.2rc2
4.3.2
4.3.3rc1
4.3.3rc2
4.3.3
4.3.4rc1
4.3.4
4.3.5rc1
4.3.5rc2
4.3.5
4.3.6rc1
4.3.6
4.3.7rc1
4.3.7
4.3.8rc1
4.3.8
4.3.9rc1
4.3.9
4.3.10rc1
4.3.10
4.3.11rc1
4.3.11
4.4.0rc1
4.4.0
4.4.1rc2
4.4.1
4.5.0rc1
4.5.0
4.5.1rc1
4.5.1
4.5.2rc1
4.5.2
4.5.3rc1
4.5.3
4.5.4rc1
4.5.4rc2
4.5.4
4.5.5rc1
4.5.5rc2
4.5.5
4.6.0.dev1
4.6.0.dev2
4.6.0rc1
4.6.0
4.6.1rc1
4.6.1rc2
4.6.1rc3
4.6.1
4.6.2rc1