Headline
GHSA-99pm-ch96-ccp2: Flask-AppBuilder open redirect vulnerability using HTTP host injection
Impact
Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests.
Patches
Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection.
Examples:
FAB_SAFE_REDIRECT_HOSTS = ["yourdomain.com", "sub.yourdomain.com", "*.yourcompany.com"]
Workarounds
Use a Reverse Proxy to Enforce Trusted Host Headers
References
Are there any links users can visit to find out more?
Impact
Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests.
Patches
Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection.
Examples:
FAB_SAFE_REDIRECT_HOSTS = ["yourdomain.com", "sub.yourdomain.com", "*.yourcompany.com"]
Workarounds
Use a Reverse Proxy to Enforce Trusted Host Headers
References
Are there any links users can visit to find out more?
References
- GHSA-99pm-ch96-ccp2
- https://nvd.nist.gov/vuln/detail/CVE-2025-32962
- dpgaspar/Flask-AppBuilder@32eedbb