Open Redirect Affecting flask-unchained package, versions [,0.9.0)

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


  • User Interaction


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    10 Jun 2021

  • disclosed

    15 May 2021

  • credit

    Noam Moshe of Claroty

How to fix?

Upgrade Flask-Unchained to version 0.9.0 or higher.


Flask-Unchained is a The quickest and easiest way to build large web apps and APIs with Flask and SQLAlchemy

Affected versions of this package are vulnerable to Open Redirect. When using the the _validate_redirect_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\

This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False`.