PyPI: flask-security

CVE-2021-23385

Safety vulnerability ID: SFTY-20220802-14391

Safety legacy ID: pyup.io-44501

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore.

PythonPyPINVDNVDGitHubGHSA
Created at: May 21, 2026Updated at: May 21, 2026

Overview

Flask-Security vulnerable to Open Redirect

Advisory

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore.

Affected Package

Affecting flask-security package, versions
>0

Also affects

---

How to Fix

We recommend updating flask-security to the latest non-vulnerable version.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more