GHSA-w2j7-f3c6-g8cw: Open Redirect Bypass via Parser Differential in Flask-Security
Vulnerability ID: GHSA-W2J7-F3C6-G8CW
CVSS Score: 4.7
Published: 2026-06-23
An open redirect vulnerability exists in Flask-Security versions up to and including 5.8.0. This flaw allows remote, unauthenticated attackers to perform open redirects by exploiting a parser differential between Python's standard library urlsplit() function and modern web browsers when subdomain redirection is allowed.
TL;DR
A parser differential between Python's urlsplit() and web browsers allows attackers to bypass subdomain redirect validation in Flask-Security using backslash-based host strings, leading to open redirect attacks.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-601
- Attack Vector: Network (AV:N)
- CVSS Score: 4.7 (Medium)
- EPSS Score: N/A
- Impact: Open Redirect
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
Affected Systems
- Flask-Security with SECURITY_REDIRECT_ALLOW_SUBDOMAINS enabled
-
Flask-Security: <= 5.8.0 (Fixed in:
5.8.1)
Mitigation Strategies
- Upgrade Flask-Security to version 5.8.1 or later
- Disable subdomain redirects by setting SECURITY_REDIRECT_ALLOW_SUBDOMAINS = False
- Deploy custom validation middleware to sanitize redirection parameters
Remediation Steps:
- Verify the current installed version using 'pip show Flask-Security'
- Upgrade the package to a fixed version: 'pip install --upgrade Flask-Security>=5.8.1'
- Restart the Flask application process to apply the changes
- Verify that redirect requests containing backslashes are rejected with an error
References
- GitHub Security Advisory GHSA-w2j7-f3c6-g8cw
- OSV Vulnerability Database Registry
- National Vulnerability Database (NVD) Analysis for CVE-2023-49438
- GitLab Advisory Entry for Flask-Security Open Redirect Class
- GitHub Advisories Main Entry Portal
Read the full report for GHSA-W2J7-F3C6-G8CW on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)