CVE-2025-58065

CVE-2025-58065 is a medium-severity vulnerability in Dpgaspar Flask-appbuilder with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.

Key facts

Description

Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.

Frequently asked questions

What is CVE-2025-58065?
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.
How severe is CVE-2025-58065?
CVE-2025-58065 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
Is CVE-2025-58065 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (30th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-58065?
CVE-2025-58065 affects Dpgaspar Flask-appbuilder. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-58065?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-58065 have an EU (EUVD) identifier?
Yes. CVE-2025-58065 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-28980.
When was CVE-2025-58065 published?
CVE-2025-58065 was published on 2025-09-11 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Dpgaspar Flask-appbuilder

All CVEs affecting Dpgaspar Flask-appbuilder →

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →