CVE-2025-47278— Flask uses fallback key instead of current signing key

Flask uses fallback key instead of current signing key

Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.

N/A

使用不正确参数次序的函数调用

Flask 安全漏洞

Flask是Pallets开源的一个用于构建web应用程序的Python微框架。 Flask 3.1.0版本存在安全漏洞，该漏洞源于密钥回退配置处理不当，可能导致使用过期的密钥进行会话签名。

N/A

N/A