CRITICAL🇵🇱 Wersja polska

CVE-2025-43931

CVSS 9.8v3.1pub. 2025-07-07upd. 2026-04-15

flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.

🤖 AI Analysis
How it works

The flask-boilerplate application does not define the SERVER_NAME variable, so when generating a password reset link, it relies solely on the value of the HTTP Host header provided in the request. The attacker initiates a password reset request for a selected account while replacing the Host header with an address of a server under their control. As a result, the victim receives an email with a link leading to the attacker's server, which can intercept the password reset token (CWE-640: Weak Password Recovery Mechanism for Forgotten Password).

Impact

An attacker can take full control of any user account by intercepting the password reset token, thereby gaining access to their data and permissions in the application.

Mitigation & patch

The SERVER_NAME variable should be configured in the Flask application settings to prevent link generation from relying on the Host HTTP header. Patches available from the vendor should be applied according to the references.

Who is affected

flask-boilerplate in versions up to and including a170e7c (commit a170e7c in the MaxHalford/flask-boilerplate repository)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References