CVE-2023-30861 | Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Published: 2023-05-02 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2023-30861 is rated Moderate Risk (54/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.25%). EPSS rose +1.06% over the last day, indicating growing attacker interest. Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2023-30861

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.18% 1.25% +1.06%
2 2025-11-21 0.92% 0.18% -0.73%
3 2025-11-18 0.92%

Full EPSS history (18 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2023-30861

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 3.9 3.6 [email protected]
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 3.9 3.6 [email protected]

Weakness enumeration for CVE-2023-30861

GitHub Security Advisory for CVE-2023-30861

GHSA-m2qf-hxjv-5gpq · Severity: high · Ecosystem: pip — Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

OS Trackers for CVE-2023-30861

vendor priority summary link
debian not yet assigned CVE-2023-30861 not yet assigned priority: Debian including 1 source packages (flask), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2023-30861
redhat high https://access.redhat.com/security/cve/CVE-2023-30861
suse high CVE-2023-30861 severity important: SUSE including 20 source package names (1.10.1.16.4.5.420:python3-Flask-1.0.2-150100.6.3.1, 3.8.0.1.0.4.5.49:python3-Flask-1.0.2-150100.6.3.1, …), 57 product×package rows across 43 product lines (Container ses/7.1/cephcsi/cephcsi, Container ses/7.1/rook/ceph, … (43 product lines)): Fixed 53, Known Not Affected 4. https://www.suse.com/security/cve/CVE-2023-30861/
ubuntu medium CVE-2023-30861 medium priority: Ubuntu including 1 source packages (flask), 8 status rows across 8 suites (bionic, focal, jammy, kinetic, lunar, trusty, upstream, xenial): released 4, not-affected 2, ignored 1, needs-triage 1. https://ubuntu.com/security/CVE-2023-30861

Affected software / configurations for CVE-2023-30861

Vendor Product Version Raw CPE
palletsprojects flask < 2.2.5 cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*
palletsprojects flask >= 2.3.0, < 2.3.2 cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*

References for CVE-2023-30861

cvelogic Threat Intelligence