CVE-2022-24880— Potential Captcha Validate Bypass in flask-session-captcha

CVSS 5.3 · Medium EPSS 0.25% · P48 Updated Apr 29, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-24880

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Potential Captcha Validate Bypass in flask-session-captcha

Source: NVD (National Vulnerability Database)

Vulnerability Description

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

对函数返回值的检查不正确

Source: NVD (National Vulnerability Database)

Vulnerability Title

flask-session-captcha 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

flask-session-captcha是德国Joakim Uddholm个人开发者的一个 flask 的验证码实现。 flask-session-captcha 1.2.1之前版本存在安全漏洞，该漏洞源于如果没有传递任何值，`captcha.validate()`函数将返回`None`，如果返回值为**False**，则可以绕过验证码验证检查。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Tethik	flask-session-captcha	< 1.2.1	-

II. Public POCs for CVE-2022-24880

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2022-24880

请登录查看更多情报信息。

https://github.com/Tethik/flask-session-captcha/pull/27x_refsource_MISC
https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1x_refsource_MISC
https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4x_refsource_MISC
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45x_refsource_CONFIRM
https://nvd.nist.gov/vuln/detail/CVE-2022-24880

IV. Related Vulnerabilities

Same weakness: CWE-253

V. Comments for CVE-2022-24880

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2022-24880— Potential Captcha Validate Bypass in flask-session-captcha

I. Basic Information for CVE-2022-24880

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2022-24880

III. Intelligence Information for CVE-2022-24880

IV. Related Vulnerabilities

V. Comments for CVE-2022-24880

Leave a comment