Flask 3.1.0

Direct Vulnerabilities

Known vulnerabilities in the Flask package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Use of Cache Containing Sensitive Information Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the `session` object. An attacker can cause sensitive user-specific responses to be cached and served to other users by leveraging a caching proxy that does not ignore responses with cookies, when the application does not set a `Cache-Control` header and accesses the session only for keys without mutating or accessing values. Note: This is only exploitable if the application is hosted behind a caching proxy that does not ignore responses with cookies, does not set a `Cache-Control` header to indicate that a page is private or should not be cached, and accesses the session in a way that does not access the values, only the keys, and does not mutate the session. How to fix Use of Cache Containing Sensitive Information? Upgrade `flask` to version 3.1.3 or higher.	[,3.1.3)
L Function Call With Incorrect Order of Arguments Affected versions of this package are vulnerable to Function Call With Incorrect Order of Arguments due to the incorrect handling of the `SECRET_KEY_FALLBACKS` configuration. An attacker can exploit this to sign sessions with stale keys, potentially impeding the transition to fresher keys. note: This is only exploitable if the site has opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS`. How to fix Function Call With Incorrect Order of Arguments? Upgrade `flask` to version 3.1.1 or higher.	[3.1.0,3.1.1)

Vulnerability

Vulnerable Version

Use of Cache Containing Sensitive Information

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the session object. An attacker can cause sensitive user-specific responses to be cached and served to other users by leveraging a caching proxy that does not ignore responses with cookies, when the application does not set a Cache-Control header and accesses the session only for keys without mutating or accessing values.

Note:

This is only exploitable if the application is hosted behind a caching proxy that does not ignore responses with cookies, does not set a Cache-Control header to indicate that a page is private or should not be cached, and accesses the session in a way that does not access the values, only the keys, and does not mutate the session.

How to fix Use of Cache Containing Sensitive Information?

Upgrade flask to version 3.1.3 or higher.

[,3.1.3)

Function Call With Incorrect Order of Arguments

Affected versions of this package are vulnerable to Function Call With Incorrect Order of Arguments due to the incorrect handling of the SECRET_KEY_FALLBACKS configuration. An attacker can exploit this to sign sessions with stale keys, potentially impeding the transition to fresher keys.

note: This is only exploitable if the site has opted-in to use key rotation by setting SECRET_KEY_FALLBACKS.

How to fix Function Call With Incorrect Order of Arguments?

Upgrade flask to version 3.1.1 or higher.

[3.1.0,3.1.1)

Flask@3.1.0

A simple framework for building complex web applications.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically