CVE-2025-47278 – flask

Package

Manager: pip
Name: flask
Vulnerable Version: =3.1.0 || >=3.1.0 <3.1.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00018 pctl0.02924

Details

Flask uses fallback key instead of current signing key In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` are likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss.

Metadata

Created: 2025-05-13T20:25:26Z
Modified: 2025-05-13T20:25:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-4grg-w6v8-c28g/GHSA-4grg-w6v8-c28g.json
CWE IDs: ["CWE-683"]
Alternative ID: GHSA-4grg-w6v8-c28g
Finding: F184
Auto approve: 1