PyPI: flask
CVE-2025-47278
Safety vulnerability ID: SFTY-20250513-06529
Safety legacy ID: pyup.io-77323
Affected versions of Flask (≤ 3.1.0) are vulnerable to incorrect fallback key configuration in session signing, leading to stale key usage instead of the intended current key. This flaw undermines session integrity, enabling remote attackers to forge or tamper with cookies via manipulated SECRET_KEY_FALLBACKS parameters. The vulnerability exists in the itsdangerous-based signing routines within flask.sessions (fallback key list ordering).
Overview
Flask uses fallback key instead of current signing key
Advisory
Affected versions of Flask (≤ 3.1.0) are vulnerable to incorrect fallback key configuration in session signing, leading to stale key usage instead of the intended current key. This flaw undermines session integrity, enabling remote attackers to forge or tamper with cookies via manipulated SECRET_KEY_FALLBACKS parameters. The vulnerability exists in the itsdangerous-based signing routines within flask.sessions (fallback key list ordering).
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250513-06529/CVE-2025-47278
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47278
- https://github.com/advisories/GHSA-4grg-w6v8-c28g
- https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09
- https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g
- https://nvd.nist.gov/vuln/detail/CVE-2025-47278
- https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09
- https://github.com/pallets/flask/releases/tag/3.1.1
- https://github.com/advisories/GHSA-4grg-w6v8-c28g
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more