#VU109059 Cryptographic issues in Flask - CVE-2025-47278

Cybersecurity Help s.r.o.

Published: 2025-05-13

Vulnerability identifier: #VU109059

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-47278

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Flask
Web applications / CMS

Vendor: The Pallets Projects

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to the way fallback key configuration was handled. The application used the last fallback key for signing, rather than the current signing key, which could potentially lead to data tampering.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Flask: 3.1.0

External links
https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Multiple vulnerabilities in IBM Storage Defender - Resiliency Service

IBM Maximo Application Suite - Predict Component update for Flask

Ubuntu update for flask

Fedora 42 update for mingw-python-flask, mingw-python-flit-core

Incorrect usage of signing key in Flask