CVE-2025-47278

CVE-2025-47278 is a low-severity vulnerability with a CVSS 4.0 base score of 1.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-683.

Key facts

Description

Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.

Frequently asked questions

What is CVE-2025-47278?
Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.
How severe is CVE-2025-47278?
CVE-2025-47278 has a CVSS 4.0 base score of 1.8, rated low severity.
Is CVE-2025-47278 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (5th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-47278?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-47278 have an EU (EUVD) identifier?
Yes. CVE-2025-47278 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-14386.
When was CVE-2025-47278 published?
CVE-2025-47278 was published on 2025-05-13 and last updated on 2026-06-17.

References

Other CWE-683 vulnerabilities

Browse all CWE-683 vulnerabilities →