CVE-2025-47278
CVE-2025-47278 is a low-severity vulnerability with a CVSS 4.0 base score of 1.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-683.
Key facts
- Severity: Low (CVSS 4.0 base score 1.8)
- EPSS exploit prediction: 0% (5th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-14386
- Weakness: CWE-683
- Published:
- Last modified:
Description
Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.
Frequently asked questions
- What is CVE-2025-47278?
- Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.
- How severe is CVE-2025-47278?
- CVE-2025-47278 has a CVSS 4.0 base score of 1.8, rated low severity.
- Is CVE-2025-47278 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (5th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-47278?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-47278 have an EU (EUVD) identifier?
- Yes. CVE-2025-47278 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-14386.
- When was CVE-2025-47278 published?
- CVE-2025-47278 was published on 2025-05-13 and last updated on 2026-06-17.
References
- https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09
- https://github.com/pallets/flask/releases/tag/3.1.1
- https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g
Other CWE-683 vulnerabilities
- CVE-2023-32059 — High (CVSS 7.5): Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls…
- CVE-2026-32269 — Medium (CVSS 6.5): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to…