Skip to content

Update dependency flask to v3.1.3 [SECURITY]#648

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-flask-vulnerability
Open

Update dependency flask to v3.1.3 [SECURITY]#648
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-flask-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 13, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
flask (changelog) 3.1.03.1.3 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Flask uses fallback key instead of current signing key

CVE-2025-47278 / GHSA-4grg-w6v8-c28g

More information

Details

In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key.

Signing is provided by the itsdangerous library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first.

Sites that have opted-in to use key rotation by setting SECRET_KEY_FALLBACKS are likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss.

Severity

  • CVSS Score: 1.8 / 10 (Low)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Flask session does not add Vary: Cookie header when accessed in some ways

CVE-2026-27205 / GHSA-68rp-wp8r-4726

More information

Details

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked.

The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not ignore responses with cookies.
  2. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.
  3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pallets/flask (flask)

v3.1.3

Compare Source

Released 2026-02-18

  • The session is marked as accessed for operations that only access the keys
    but not the values, such as in and len. :ghsa:68rp-wp8r-4726

v3.1.2

Compare Source

Released 2025-08-19

  • stream_with_context does not fail inside async views. :issue:5774
  • When using follow_redirects in the test client, the final state
    of session is correct. :issue:5786
  • Relax type hint for passing bytes IO to send_file. :issue:5776

v3.1.1

Compare Source

Released 2025-05-13

  • Fix signing key selection order when key rotation is enabled via
    SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. :issue:5645
  • flask --help loads the app and plugins first to make sure all commands
    are shown. :issue:5673
  • Mark sans-io base class as being able to handle views that return
    AsyncIterable. This is not accurate for Flask, but makes typing easier
    for Quart. :pr:5659

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the merge-queue merge on green CI label May 13, 2025
@renovate renovate Bot requested a review from a team as a code owner May 13, 2025 23:20
@renovate renovate Bot added the merge-queue merge on green CI label May 13, 2025
@renovate renovate Bot force-pushed the renovate/pypi-flask-vulnerability branch from 5c310f4 to db4fc93 Compare August 10, 2025 13:15
@renovate renovate Bot force-pushed the renovate/pypi-flask-vulnerability branch from db4fc93 to dbc5acc Compare August 19, 2025 19:49
@renovate renovate Bot changed the title fix(deps): update dependency flask to v3.1.1 [security] chore(deps): update dependency flask to v3.1.1 [security] Sep 25, 2025
@renovate renovate Bot force-pushed the renovate/pypi-flask-vulnerability branch from dbc5acc to 2df74ab Compare November 18, 2025 10:29
@renovate renovate Bot changed the title chore(deps): update dependency flask to v3.1.1 [security] Update dependency flask to v3.1.1 [SECURITY] Dec 1, 2025
@renovate renovate Bot force-pushed the renovate/pypi-flask-vulnerability branch from 2df74ab to 9f171dc Compare February 2, 2026 21:49
@renovate renovate Bot force-pushed the renovate/pypi-flask-vulnerability branch from 9f171dc to bdbd8fc Compare March 13, 2026 11:09
@renovate renovate Bot changed the title Update dependency flask to v3.1.1 [SECURITY] Update dependency flask to v3.1.1 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/pypi-flask-vulnerability branch March 27, 2026 05:15
@renovate renovate Bot changed the title Update dependency flask to v3.1.1 [SECURITY] - autoclosed Update dependency flask to v3.1.1 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/pypi-flask-vulnerability branch 2 times, most recently from bdbd8fc to 3962c51 Compare March 30, 2026 18:25
@renovate renovate Bot force-pushed the renovate/pypi-flask-vulnerability branch from 3962c51 to 7baac61 Compare April 7, 2026 14:48
@renovate renovate Bot changed the title Update dependency flask to v3.1.1 [SECURITY] Update dependency flask to v3.1.3 [SECURITY] Apr 7, 2026
@renovate renovate Bot changed the title Update dependency flask to v3.1.3 [SECURITY] chore(deps): update dependency flask to v3.1.3 [security] Apr 7, 2026
@renovate renovate Bot changed the title chore(deps): update dependency flask to v3.1.3 [security] Update dependency flask to v3.1.3 [SECURITY] Apr 8, 2026
@renovate renovate Bot changed the title Update dependency flask to v3.1.3 [SECURITY] Update dependency flask to v3.1.3 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency flask to v3.1.3 [SECURITY] - autoclosed Update dependency flask to v3.1.3 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/pypi-flask-vulnerability branch from 7baac61 to 42170da Compare April 27, 2026 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

merge-queue merge on green CI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants