UBUNTU-CVE-2025-47278

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2025-47278
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-47278.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-47278
Related
Published
2025-05-13T16:15:00Z
Modified
2025-05-14T16:32:09Z
Summary
[none]
Details

Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the itsdangerous library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting SECRET_KEY_FALLBACKS care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.

References

Affected packages

Ubuntu:Pro:16.04:LTS / flask

Package

Name
flask
Purl
pkg:deb/ubuntu/flask@0.10.1-2ubuntu0.1?arch=source&distro=esm-infra/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.1-2build2
0.10.1-2ubuntu0.1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / flask

Package

Name
flask
Purl
pkg:deb/ubuntu/flask@0.12.2-3ubuntu0.1?arch=source&distro=esm-infra/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.12.2-2
0.12.2-3
0.12.2-3ubuntu0.1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / flask

Package

Name
flask
Purl
pkg:deb/ubuntu/flask@1.1.1-2ubuntu0.1?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.2-3
1.1.1-2
1.1.1-2ubuntu0.1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / flask

Package

Name
flask
Purl
pkg:deb/ubuntu/flask@2.0.1-2ubuntu1.1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.2-2

2.*

2.0.1-2ubuntu1
2.0.1-2ubuntu1.1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / flask

Package

Name
flask
Purl
pkg:deb/ubuntu/flask@3.0.3-1ubuntu1?arch=source&distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.2-1ubuntu1
3.0.3-1ubuntu1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / flask

Package

Name
flask
Purl
pkg:deb/ubuntu/flask@3.0.2-1ubuntu1?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.5-1ubuntu1

3.*

3.0.2-1ubuntu1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:25.04 / flask

Package

Name
flask
Purl
pkg:deb/ubuntu/flask@3.1.0-2ubuntu1?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.3-1ubuntu1
3.1.0-2ubuntu1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}