GHSA-W2J7-F3C6-G8CW is a medium-severity open redirect vulnerability in Flask-Security (pip), affecting versions <= 5.8.0. It is fixed in 5.8.1.
Open Redirect in Flask-Security Summary flasksecurity.utils.validateredirecturl() can allow an attacker-controlled redirect URL when subdomain redirects are enabled. The bypass uses a backslash inside the URL authority/host: Python's urlsplit() parses the full authority as evil.com\.whitelist.com or evil.com%5C.whitelist.com. Because the value ends with .whitelist.com, validateredirect_url() accepts it as an allowed subdomain of whitelist.com. This is similar in class to the previous Flask-Security-Too open redirect advisory CVE-2023-49438 / GHSA-672h-6x89-76m5, where crafted redirect URLs bypassed validation through browser URL normalization behavior. Affected Configuration The issue requires subdomain redirects to be enabled: Tested environment: Impact An attacker can craft a URL that passes Flask-Security's redirect validation and produces a 302 response to an attacker-controlled URL-like authority. This can be used for phishing or other attacks that rely on a trusted application redirecting users to an attacker-controlled destination. Proof of Concept PoC Flask App Steps to Reproduce Run the PoC with the target project's Flask version: The invalid comparison case is correctly blocked: Observed result: <img width="1019" height="294" alt="image" src="https://github.com/user-attachments/assets/de25ac4d-b37f-4369-928e-f44dfd5b7557" /> Check the validation result: Observed result: <img width="1029" height="634" alt="image" src="https://github.com/user-attachments/assets/8e5ec8a6-42a4-438a-8d12-a27724519091" /> References CVE-2023-49438: https://advisories.gitlab.com/pypi/flask-security-too/CVE-2023-49438/ GHSA-672h-6x89-76m5: https://osv.dev/vulnerability/CVE-2023-49438 NVD entry for CVE-2023-49438: https://nvd.nist.gov/vuln/detail/CVE-2023-49438
Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites. Typical impact: phishing and credential harvesting via a trusted domain.
GHSA-W2J7-F3C6-G8CW has a CVSS score of 4.7 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (5.8.1). Upgrading removes the vulnerable code path.
pip
Flask-Security (<= 5.8.0)Flask-Security → 5.8.1 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether GHSA-W2J7-F3C6-G8CW is reachable in your applications. Explore open-source security for your team.
See if GHSA-W2J7-F3C6-G8CW is reachable in your applications. Get a demo
Already deployed Kodem? See GHSA-W2J7-F3C6-G8CW in your environment →Upgrade Flask-Security to 5.8.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
GHSA-W2J7-F3C6-G8CW is a medium-severity open redirect vulnerability in Flask-Security (pip), affecting versions <= 5.8.0. It is fixed in 5.8.1. Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites.
GHSA-W2J7-F3C6-G8CW has a CVSS score of 4.7 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
Flask-Security (pip) versions <= 5.8.0 is affected.
Yes. GHSA-W2J7-F3C6-G8CW is fixed in 5.8.1. Upgrade to this version or later.
Whether GHSA-W2J7-F3C6-G8CW is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade Flask-Security to 5.8.1 or later.