CVE-2025-24023
Flask-AppBuilder Observable Response Discrepancy
3.7
LOW
CVSS 3.1
EPSS 0.50%
Description
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.
How to fix CVE-2025-24023
To remediate CVE-2025-24023, upgrade the affected package to a fixed version below.
- —upgrade to 4.5.3 or later
- —upgrade to 4.5.3 or later
Is CVE-2025-24023 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.5.3
- from 0, < 4.5.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |