flaskBlog arbitrary comment delete_CVE-2025-55737

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py.

Basic Information

ID CVE-2025-55737

Source GitHub_M

Published Aug 19, 2025 at 19:06

Modified Aug 19, 2025 at 19:27

Affected Product

Vendor DogukanUrker

Product FlaskBlog

Version <= 2.8.0

Affected Versions DogukanUrker FlaskBlog <= 2.8.0

CWE Classification

CWE-639

References

github.com /DogukanUrker/FlaskBlog/security/advisories/GHSA-6hp9-jv2f-88wr

{
    "lastseen": "",
    "description": "flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py.",
    "published": "2025-08-19T19:06:15.195Z",
    "modified": "2025-08-19T19:27:18.828Z",
    "type": "cve",
    "title": "flaskBlog arbitrary comment delete",
    "source": "GitHub_M",
    "references": "https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-6hp9-jv2f-88wr",
    "id": "CVE-2025-55737",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "DogukanUrker FlaskBlog <= 2.8.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FlaskBlog",
    "version": "<= 2.8.0",
    "vendor": "DogukanUrker",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}