CVE-2025-55737
Published: 19 August 2025
Summary
CVE-2025-55737 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Dogukanurker Flaskblog. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28608
Vulnerability details
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply…
more
intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vulnerability (CWE-639) in the public-facing FlaskBlog web application enables exploitation of a public-facing application (T1190) and unauthorized deletion of arbitrary stored comments, facilitating data destruction (T1485).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.