CVE-2025-55736
Published: 19 August 2025
Summary
CVE-2025-55736 is a critical-severity Forced Browsing (CWE-425) vulnerability in Dogukanurker Flaskblog. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28607
Vulnerability details
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary authenticated users to exploit broken access controls for privilege escalation (T1068) by changing roles to admin (T1098), and deleting users (T1531) without authorization checks.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Blocks unauthorized direct requests or forced browsing by denying input access to non-authorized actors.
Forcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths.
Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks.
Enforcing access for all logical requests prevents unauthorized direct access to protected resources.
Displaying the notification before further access on public systems prevents direct resource requests from bypassing the required system use terms and consent.
Prevents reliance on untrusted matching results for security-relevant decisions by enforcing verification and contest procedures.
Providing authoritative attributes with the data reduces the need for security decisions to rely on untrusted external inputs.
Decoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis.