2365965 – (CVE-2025-47278) CVE-2025-47278 flask: Flask Session Signing Fallback Key Vulnerability

Bug 2365965 (CVE-2025-47278) - CVE-2025-47278 flask: Flask Session Signing Fallback Key Vulnerability

Summary: CVE-2025-47278 flask: Flask Session Signing Fallback Key Vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2025-47278
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2366240 2366239
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-13 17:01 UTC by OSIDB Bzimport
Modified:	2025-05-14 14:15 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-13 17:01:11 UTC

Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.

Note You need to log in before you can comment on or make changes to this bug.