Flask-AppBuilder Open Redirect Vulnerability via Host Header Manipulation

A vulnerability allowing open redirects has been identified in Flask-AppBuilder versions prior to 4.6.2. This issue arises from the application not properly validating the Host header in HTTP requests, which could enable a malicious unauthenticated actor to redirect users to untrusted domains. The vulnerability has been addressed in version 4.6.2 by introducing the FAB_SAFE_REDIRECT_HOSTS configuration variable, allowing administrators to specify which domains are safe for redirection. As a workaround, a reverse proxy can be used to enforce trusted host headers.

Impact

Exploitation of this vulnerability allows for open redirect attacks, where users can be sent to malicious websites under the guise of a trusted domain.

Reproduction

To reproduce this vulnerability, send an HTTP request to a Flask-AppBuilder application running a version prior to 4.6.2. Manipulate the Host header to include an untrusted domain. If the application redirects to this domain, the vulnerability is present.

Remediation

Flask-AppBuilder users should upgrade to version 4.6.2 or later. For those unable to upgrade, using a reverse proxy to enforce trusted host headers is recommended.