VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-nc2g-v8pn-nqcy

Essentials
Severities (13)
References (6)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-nc2g-v8pn-nqcy
Aliases	CVE-2024-25128 GHSA-j2pw-vp55-fqqj
Summary	Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID ### Impact When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers. ### Patches Upgrade to Flask-AppBuilder 4.3.11 ### Workarounds If upgrade is not possible add the following to your config: ``` from flask import flash, redirect from flask_appbuilder import expose from flask_appbuilder.security.sqla.manager import SecurityManager from flask_appbuilder.security.views import AuthOIDView from flask_appbuilder.security.forms import LoginForm_oid basedir = os.path.abspath(os.path.dirname(__file__)) class FixedOIDView(AuthOIDView): @expose("/login/", methods=["GET", "POST"]) def login(self, flag=True): form = LoginForm_oid() if form.validate_on_submit(): identity_url = None for provider in self.appbuilder.sm.openid_providers: if provider.get("url") == form.openid.data: identity_url = form.openid.data if identity_url is None: flash(self.invalid_login_message, "warning") return redirect(self.appbuilder.get_url_for_login) return super().login(flag=flag) class FixedSecurityManager(SecurityManager): authoidview = FixedOIDView FAB_SECURITY_MANAGER_CLASS = "config.FixedSecurityManager" ```
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-287	Improper Authentication
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.0096	https://api.first.org/data/v1/epss?cve=CVE-2024-25128
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-j2pw-vp55-fqqj
cvssv3.1	9.1	https://github.com/dpgaspar/Flask-AppBuilder
generic_textual	CRITICAL	https://github.com/dpgaspar/Flask-AppBuilder
cvssv3.1	9.1	https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8
generic_textual	CRITICAL	https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8
ssvc	Track	https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8
cvssv3.1	9.1	https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
cvssv3.1_qr	CRITICAL	https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
generic_textual	CRITICAL	https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
ssvc	Track	https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
cvssv3.1	9.1	https://nvd.nist.gov/vuln/detail/CVE-2024-25128
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2024-25128

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-25128
		https://github.com/dpgaspar/Flask-AppBuilder
		https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8
CVE-2024-25128		https://nvd.nist.gov/vuln/detail/CVE-2024-25128
GHSA-j2pw-vp55-fqqj		https://github.com/advisories/GHSA-j2pw-vp55-fqqj
GHSA-j2pw-vp55-fqqj		https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/dpgaspar/Flask-AppBuilder

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-26T19:49:15Z/ Found at https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-26T19:49:15Z/ Found at https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-25128

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.76856
EPSS Score	0.0096
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:47:15.278753+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-AppBuilder/CVE-2024-25128.yml	38.6.0