Flask Web Application Framework Vulnerability in Key Configuration
CVE-2025-47278

1.8LOW

Key Information:

Vendor

Pallets

Status
Flask
Vendor
CVE Published:
13 May 2025

What is CVE-2025-47278?

A vulnerability in Flask 3.1.0 concerns the mishandling of key configuration for signing sessions. When utilizing key rotation via the SECRET_KEY_FALLBACKS setting, Flask improperly assembles the list of signing keys, leading to the last key in the list being used erroneously. This misconfiguration can result in sessions being signed with outdated keys, complicating transitions to newer keys. Although sessions remain signed and there’s no risk of data integrity loss, it is imperative for users to upgrade to Flask version 3.1.1, which addresses this issue.

Affected Version(s)

flask = 3.1.0

References

https://github.com/pallets/flask/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/pallets/flask/commit/73d6504063bfa0066...
x_refsource_MISC
https://github.com/pallets/flask/releases/tag/3.1.1
x_refsource_MISC

CVSS V4

Score:
1.8
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-47278 : Flask Web Application Framework Vulnerability in Key Configuration