Vulnerability Description
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dpgaspar | Flask-Appbuilder | < 4.8.1 |
Related Weaknesses (CWE)
References
- https://github.com/dpgaspar/Flask-AppBuilder/commit/a942a9cc5775752f9a02f97fd819Patch
- https://github.com/dpgaspar/Flask-AppBuilder/pull/2384Issue TrackingPatch
- https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.8.1Release Notes
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-765j-9r45-Vendor Advisory
FAQ
What is CVE-2025-58065?
CVE-2025-58065 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password res...
How severe is CVE-2025-58065?
CVE-2025-58065 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-58065?
Check the references section above for vendor advisories and patch information. Affected products include: Dpgaspar Flask-Appbuilder.