PT-2025-28174 · Pypi · Flask-Boilerplate
Rui Yang
+1
·
Published
2025-07-07
·
Updated
2025-07-07
·
CVE-2025-43931
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
flask-boilerplate versions through a170e7c
Description:
The issue allows account takeover via the password reset feature. This is because the
SERVER NAME is not configured, and thus the password reset depends on the Host HTTP header.Recommendations:
For versions through a170e7c, configure the
SERVER NAME to prevent the password reset feature from depending on the Host HTTP header. As a temporary workaround, consider restricting access to the password reset feature until the SERVER NAME is properly configured.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flask-Boilerplate