CVE-2025-47278: Flask uses fallback key instead of current signing key

Published May 13, 2025
·
Updated

Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.

Affected Software

6 affected componentsFixes available
Pallets Flask
Pallets Flask<3.1.1
pip/flask=3.1.0
3.1.1
IBM Fusion<=2.2.0 - 2.10.1
IBM Fusion HCI<=2.2.0 - 2.10.0
IBM Fusion HCI for watsonx<=2.8.2 - 2.10.0

Event History

May 13, 2025
CVE Published
via MITRE·03:57 PM
Data Sourced
via MITRE·03:57 PM
DescriptionWeakness
Data Sourced
via NVD·04:15 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·08:25 PM
Sep 11, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-47278?

The severity of CVE-2025-47278 is classified as high due to the risk of improper key signing.

2

How do I fix CVE-2025-47278?

To fix CVE-2025-47278, upgrade Flask to version 3.1.1 or later.

3

What versions of Flask are affected by CVE-2025-47278?

Flask versions prior to 3.1.1 are affected by CVE-2025-47278.

4

What impact does CVE-2025-47278 have on applications?

CVE-2025-47278 can lead to security vulnerabilities in applications relying on Flask for session signing.

5

What components are involved in the exploitation of CVE-2025-47278?

CVE-2025-47278 involves the Flask framework and itsdangerous library for signing sessions.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203