CVE-2025-58065
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.
EPSS 0.03% · 8.6th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| dpgaspar | flask-appbuilder | 0 |
| PyPI | flask-appbuilder | 0 |
| dpgaspar | Flask-AppBuilder | < 4.8.1 |
Timeline
- Jan 21, 1970 Fix PR Merged
- Jan 21, 1970 Security Advisory
- Sep 11, 2025 CVE Published
- Sep 11, 2025 PoC Published
- Sep 12, 2025 EPSS Score
- Sep 12, 2025 Coalition ESS Score
- Sep 13, 2025 CVE Updated
- Sep 15, 2025 Coalition ESS Score
- Sep 19, 2025 EPSS Score
- Sep 26, 2025 EPSS Score
- Oct 4, 2025 EPSS Score
- Oct 4, 2025 Coalition ESS Score
References
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-765j-9r45-w2q2 url
- https://github.com/dpgaspar/Flask-AppBuilder/pull/2384 url
- https://github.com/dpgaspar/Flask-AppBuilder/commit/a942a9cc5775752f9a02f97fd8198dd288fa93ee url
- https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.8.1 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-58065 advisory
- https://github.com/dpgaspar/Flask-AppBuilder package