VulnerableCode Package Details - pkg:pypi/flask-security-too@3.4.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-ktqv-ggxh-skf6 Aliases: CVE-2021-21241 GHSA-hh7m-rx4f-4vpv PYSEC-2021-91	cross-site request forgery	3.4.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-tk55-7fdu-9kfq Aliases: CVE-2023-49438 GHSA-672h-6x89-76m5 PYSEC-2023-248	An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.	5.3.3 Affected by 0 other vulnerabilities.
VCID-ua6e-h8x5-dbgd Aliases: CVE-2021-32618 GHSA-6qmf-fj6m-686c PYSEC-2021-123	The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the `autocorrect_location_header=False`.	4.1.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-ktqv-ggxh-skf6
Aliases:
CVE-2021-21241
GHSA-hh7m-rx4f-4vpv
PYSEC-2021-91

cross-site request forgery

3.4.5
Affected by 2 other vulnerabilities.

VCID-tk55-7fdu-9kfq
Aliases:
CVE-2023-49438
GHSA-672h-6x89-76m5
PYSEC-2023-248

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

5.3.3
Affected by 0 other vulnerabilities.

VCID-ua6e-h8x5-dbgd
Aliases:
CVE-2021-32618
GHSA-6qmf-fj6m-686c
PYSEC-2021-123

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the `autocorrect_location_header=False`.

4.1.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:20:31.899238+00:00	Pypa Importer	Affected by	VCID-tk55-7fdu-9kfq	https://github.com/pypa/advisory-database/blob/main/vulns/flask-security-too/PYSEC-2023-248.yaml	38.6.0
2026-06-02T04:13:51.744074+00:00	Pypa Importer	Affected by	VCID-ua6e-h8x5-dbgd	https://github.com/pypa/advisory-database/blob/main/vulns/flask-security-too/PYSEC-2021-123.yaml	38.6.0
2026-06-02T04:08:17.890412+00:00	Pypa Importer	Affected by	VCID-ktqv-ggxh-skf6	https://github.com/pypa/advisory-database/blob/main/vulns/flask-security-too/PYSEC-2021-91.yaml	38.6.0