CVE-2021-33026

Name of the Vulnerable Software and Affected Versions Flask-Caching versions through 1.10.1

Description The Flask-Caching extension relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage, they can construct a crafted payload, poison the cache, and execute Python code. However, exploitation is extremely unlikely unless the machine is already compromised. The attacker would need to be able to write arbitrary values to the cache, generate a cache key that will collide with a value being read by the application, and cause the application to read a maliciously-injected value.

Recommendations For Flask-Caching versions through 1.10.1, consider disabling the use of Pickle for serialization until a patch is available. As a temporary workaround, restrict access to cache storage to minimize the risk of exploitation. Avoid using vulnerable cache configurations that allow arbitrary values to be written to the cache.