GHSA-765J-9R45-W2Q2
Vulnerability from github – Published: 2025-09-11 16:51 – Updated: 2025-09-13 04:44
VLAI?
Summary
Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods
Details
Impact
When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider.
Patches
Upgrade to Flask-AppBuilder version 4.8.1 or later
Workarounds
If immediate upgrade is not possible: - Manually disable password reset routes in the application configuration - Implement additional access controls at the web server or proxy level to block access to the reset my password URL. - Monitor for suspicious password reset attempts from disabled accounts
Severity ?
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "flask-appbuilder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58065"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-11T16:51:57Z",
"nvd_published_at": "2025-09-11T18:15:35Z",
"severity": "MODERATE"
},
"details": "### Impact\nWhen Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider.\n\n### Patches\nUpgrade to Flask-AppBuilder version 4.8.1 or later\n\n### Workarounds\nIf immediate upgrade is not possible:\n- Manually disable password reset routes in the application configuration\n- Implement additional access controls at the web server or proxy level to block access to the reset my password URL.\n- Monitor for suspicious password reset attempts from disabled accounts",
"id": "GHSA-765j-9r45-w2q2",
"modified": "2025-09-13T04:44:01Z",
"published": "2025-09-11T16:51:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-765j-9r45-w2q2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58065"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/2384"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/a942a9cc5775752f9a02f97fd8198dd288fa93ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/dpgaspar/Flask-AppBuilder"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.8.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…