Listen to this Post
Flask 3.1.0 mishandled fallback key configuration, causing sessions to be signed with stale keys instead of the current signing key. The issue stems from incorrect key ordering in itsdangerous, where Flask reversed the intended key priority. Normally, the last key in `SECRET_KEY_FALLBACKS` should be the active signing key, but Flask placed it first, leading to outdated key usage. This affects sites using key rotation, delaying transitions to newer keys. While session integrity remains intact, attackers could exploit stale keys if they were previously compromised.
DailyCVE Form
Platform: Flask
Version: 3.1.0
Vulnerability: Key rotation flaw
Severity: Medium
Date: 2024-XX-XX
What Undercode Say:
Exploitation:
- Attackers with prior access to an old `SECRET_KEY` could forge sessions.
- Exploits require knowledge of deprecated keys from
SECRET_KEY_FALLBACKS. - No direct RCE; limited to session hijacking if keys are leaked.
Mitigation:
1. Upgrade to Flask >=3.1.1.
2. Revoke all keys in `SECRET_KEY_FALLBACKS`.
3. Rotate `SECRET_KEY` immediately.
Detection:
pip show flask | grep "Version: 3.1.0"
Patch Verification:
from flask import Flask app = Flask(<strong>name</strong>) assert app.config['SECRET_KEY'] == app.config['SECRET_KEY_FALLBACKS'][-1], "Key order incorrect!"
Temporary Workaround:
app.config['SECRET_KEY_FALLBACKS'] = [app.config['SECRET_KEY'] Override fallbacks
Impact Analysis:
- Low risk if `SECRET_KEY_FALLBACKS` unused.
- Critical if old keys were exposed.
Logging Checks:
grep -r "SECRET_KEY_FALLBACKS" /path/to/app/
Key Rotation Script:
import os new_key = os.urandom(24) app.config.update(SECRET_KEY=new_key, SECRET_KEY_FALLBACKS=[])
References:
- Flask Changelog
– `itsdangerous` key handling docs
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
