PT-2025-20926 · Flask+1 · Flask+1
Published
2025-05-13
·
Updated
2025-05-26
·
CVE-2025-47278
CVSS v4.0
1.8
Low
| Vector | AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Flask versions 3.1.0
Description:
The issue arises from the incorrect handling of fallback key configuration in Flask, where the last fallback key is used for signing instead of the current signing key. This is due to Flask constructing the list of keys in reverse, passing the signing key first. Sites using key rotation by setting
SECRET KEY FALLBACKS may unexpectedly sign their sessions with stale keys, impeding their transition to fresher keys. However, sessions are still signed, preventing data integrity loss.Recommendations:
For Flask version 3.1.0, update to version 3.1.1 to resolve the issue.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flask
Ubuntu