Vulnerability Description
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page, but that control is not done for the pages routes/adminPanelComments.py and routes/adminPanelPosts.py. Thus, an unauthorized user can bypass the intended restrictions, leaking sensitive data and accessing the following pages: /admin/posts, /adminpanel/posts, /admin/comments, and /adminpanel/comments.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dogukanurker | Flaskblog | <= 2.8.0 |
Related Weaknesses (CWE)
References
- https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-h239-vv39-v3vExploitThird Party Advisory
- https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-jw79-2xvp-76pExploitThird Party Advisory
FAQ
What is CVE-2025-55734?
CVE-2025-55734 is a vulnerability with a CVSS score of 6.5 (MEDIUM). flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only t...
How severe is CVE-2025-55734?
CVE-2025-55734 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55734?
Check the references section above for vendor advisories and patch information. Affected products include: Dogukanurker Flaskblog.