Listen to this Post
How the CVE Works:
Flask-AppBuilder versions before 4.6.2 are vulnerable to open redirection via HTTP Host header injection. Attackers can manipulate the `Host` header in HTTP requests to redirect users to malicious domains. This occurs due to insufficient validation of redirect URLs, allowing attackers to craft deceptive links that appear legitimate but lead to phishing sites or malware. The vulnerability is exploitable when the application relies on the `Host` header for URL generation without strict whitelisting.
DailyCVE Form:
Platform: Flask-AppBuilder
Version: < 4.6.2
Vulnerability: Open Redirect
Severity: Moderate
Date: May 16, 2025
What Undercode Say:
Exploitation:
- Craft a malicious URL with a manipulated `Host` header:
curl -H "Host: evil.com" http://victim.com/redirect?next=http://evil.com
- Use social engineering to trick users into clicking the link.
Protection:
1. Upgrade to Flask-AppBuilder 4.6.2+.
2. Configure `FAB_SAFE_REDIRECT_HOSTS` to restrict allowed domains:
FAB_SAFE_REDIRECT_HOSTS = ['trusted.com']
3. Implement reverse proxy validation for `Host` headers:
server {
if ($host !~ ^(trusted.com)$ ) {
return 444;
}
}
Detection:
1. Scan for vulnerable endpoints:
nmap -p 80 --script http-open-redirect victim.com
2. Audit redirect logic in Flask routes.
Mitigation:
1. Disable dynamic redirects if unused.
2. Use URL allowlisting in middleware:
from flask import abort
def validate_redirect(url):
if not url.startswith(('https://trusted.com', '/')):
abort(400)
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
