CVE-2025-32962

Name of the Vulnerable Software and Affected Versions: Flask-AppBuilder versions prior to 4.6.2

Description: The issue allows a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the FAB SAFE REDIRECT HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection.

Recommendations: For versions prior to 4.6.2, use a reverse proxy to enforce trusted host headers as a workaround. Update to version 4.6.2 or later, which introduces the FAB SAFE REDIRECT HOSTS configuration variable to define safe domains for redirection.