GHSA-4grg-w6v8-c28g · Severity: low · Ecosystem: pip — Flask uses fallback key instead of current signing key
Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.
Conclusion & alert: CVE-2025-47278 is rated Low Risk (17.3/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.11%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-09 | 0.01% | 0.11% | +0.09% |
| 2 | 2025-05-14 | — | 0.01% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 1.8 | 4.0 | LOW |
|
— | — | [email protected] |
GHSA-4grg-w6v8-c28g · Severity: low · Ecosystem: pip — Flask uses fallback key instead of current signing key
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2025-47278 unimportant priority: Debian including 1 source packages (flask), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2025-47278 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2025-47278 |
suse
|
low | CVE-2025-47278 severity low: SUSE including 12 source package names (python-Flask, python3-Flask, …), 45 product×package rows across 21 product lines (SLES-LTSS-TERADATA 15 SP2, SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS, … (21 product lines)): Known Not Affected 37, Fixed 8. | https://www.suse.com/security/cve/CVE-2025-47278/ |
ubuntu
|
medium | CVE-2025-47278 medium priority: Ubuntu including 1 source packages (flask), 8 status rows across 8 suites (bionic, focal, jammy, noble, oracular, plucky, upstream, xenial): not-affected 6, released 2. | https://ubuntu.com/security/CVE-2025-47278 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||