Source: flask
Version: 3.1.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for flask.

CVE-2025-47278[0]:
| Flask is a web server gateway interface (WSGI) web application
| framework. In Flask 3.1.0, the way fallback key configuration was
| handled resulted in the last fallback key being used for signing,
| rather than the current signing key. Signing is provided by the
| `itsdangerous` library. A list of keys can be passed, and it expects
| the last (top) key in the list to be the most recent key, and uses
| that for signing. Flask was incorrectly constructing that list in
| reverse, passing the signing key first. Sites that have opted-in to
| use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to
| unexpectedly be signing their sessions with stale keys, and their
| transition to fresher keys will be impeded. Sessions are still
| signed, so this would not cause any sort of data integrity loss.
| Version 3.1.1 contains a patch for the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-47278
https://www.cve.org/CVERecord?id=CVE-2025-47278
[1] https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g [2] https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)