VulnerableCode Package Details - pkg:pypi/flask@3.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-rx8q-6dwq-a3hs Aliases: CVE-2026-27205 GHSA-68rp-wp8r-4726	Flask session does not add `Vary: Cookie` header when accessed in some ways When the `session` object is accessed, Flask should set the `Vary: Cookie` header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python `in` operator were overlooked. The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not ignore responses with cookies. 2. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. 3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.	3.1.3 Affected by 0 other vulnerabilities.
VCID-ypj9-hez8-qbcs Aliases: CVE-2025-47278 GHSA-4grg-w6v8-c28g	Flask uses fallback key instead of current signing key In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` are likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss.	3.1.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-rx8q-6dwq-a3hs
Aliases:
CVE-2026-27205
GHSA-68rp-wp8r-4726

Flask session does not add `Vary: Cookie` header when accessed in some ways When the `session` object is accessed, Flask should set the `Vary: Cookie` header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python `in` operator were overlooked. The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not ignore responses with cookies. 2. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. 3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.

3.1.3
Affected by 0 other vulnerabilities.

VCID-ypj9-hez8-qbcs
Aliases:
CVE-2025-47278
GHSA-4grg-w6v8-c28g

Flask uses fallback key instead of current signing key In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` are likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss.

3.1.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:18:57.074495+00:00	GitLab Importer	Affected by	VCID-rx8q-6dwq-a3hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask/CVE-2026-27205.yml	38.4.0
2026-04-16T23:28:40.874999+00:00	GitLab Importer	Affected by	VCID-ypj9-hez8-qbcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask/CVE-2025-47278.yml	38.4.0
2026-04-12T01:43:16.785135+00:00	GitLab Importer	Affected by	VCID-rx8q-6dwq-a3hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask/CVE-2026-27205.yml	38.3.0
2026-04-12T00:48:17.967125+00:00	GitLab Importer	Affected by	VCID-ypj9-hez8-qbcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask/CVE-2025-47278.yml	38.3.0
2026-04-07T04:57:47.310288+00:00	GHSA Importer	Affected by	VCID-ypj9-hez8-qbcs	https://github.com/advisories/GHSA-4grg-w6v8-c28g	38.1.0
2026-04-03T01:52:04.668171+00:00	GitLab Importer	Affected by	VCID-rx8q-6dwq-a3hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask/CVE-2026-27205.yml	38.1.0
2026-04-03T00:56:18.393585+00:00	GitLab Importer	Affected by	VCID-ypj9-hez8-qbcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask/CVE-2025-47278.yml	38.1.0
2026-04-02T12:41:24.285129+00:00	GitLab Importer	Affected by	VCID-ypj9-hez8-qbcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask/CVE-2025-47278.yml	38.0.0
2026-04-01T12:56:56.555502+00:00	GithubOSV Importer	Affected by	VCID-ypj9-hez8-qbcs	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-4grg-w6v8-c28g/GHSA-4grg-w6v8-c28g.json	38.0.0