Skip to content

Comments

[CU-86b4umhm1] Update dependency flask to v3 [SECURITY]#152

Open
dnastack-renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-flask-vulnerability
Open

[CU-86b4umhm1] Update dependency flask to v3 [SECURITY]#152
dnastack-renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-flask-vulnerability

Conversation

@dnastack-renovate
Copy link
Contributor

@dnastack-renovate dnastack-renovate bot commented Feb 20, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
flask (changelog) ~=2.1 -> ~=3.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2026-27205

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked.

The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not ignore responses with cookies.
  2. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.
  3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.

Flask session does not add Vary: Cookie header when accessed in some ways

CVE-2026-27205 / GHSA-68rp-wp8r-4726

More information

Details

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked.

The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not ignore responses with cookies.
  2. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.
  3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pallets/flask (flask)

v3.1.3

Compare Source

Released 2026-02-18

  • The session is marked as accessed for operations that only access the keys
    but not the values, such as in and len. :ghsa:68rp-wp8r-4726

v3.1.2

Compare Source

Released 2025-08-19

  • stream_with_context does not fail inside async views. :issue:5774
  • When using follow_redirects in the test client, the final state
    of session is correct. :issue:5786
  • Relax type hint for passing bytes IO to send_file. :issue:5776

v3.1.1

Compare Source

Released 2025-05-13

  • Fix signing key selection order when key rotation is enabled via
    SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. :issue:5645
  • flask --help loads the app and plugins first to make sure all commands
    are shown. :issue:5673
  • Mark sans-io base class as being able to handle views that return
    AsyncIterable. This is not accurate for Flask, but makes typing easier
    for Quart. :pr:5659

v3.1.0

Compare Source

Released 2024-11-13

  • Drop support for Python 3.8. :pr:5623
  • Update minimum dependency versions to latest feature releases.
    Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
  • Provide a configuration option to control automatic option
    responses. :pr:5496
  • Flask.open_resource/open_instance_resource and
    Blueprint.open_resource take an encoding parameter to use when
    opening in text mode. It defaults to utf-8. :issue:5504
  • Request.max_content_length can be customized per-request instead of only
    through the MAX_CONTENT_LENGTH config. Added
    MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation
    about resource limits to the security page. :issue:5625
  • Add support for the Partitioned cookie attribute (CHIPS), with the
    SESSION_COOKIE_PARTITIONED config. :issue:5472
  • -e path takes precedence over default .env and .flaskenv files.
    load_dotenv loads default files in addition to a path unless
    load_defaults=False is passed. :issue:5628
  • Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old
    secret keys that can still be used for unsigning. Extensions will need to
    add support. :issue:5621
  • Fix how setting host_matching=True or subdomain_matching=False
    interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts
    requests to only that domain. :issue:5553
  • Request.trusted_hosts is checked during routing, and can be set through
    the TRUSTED_HOSTS config. :issue:5636

v3.0.3

Compare Source

Released 2024-04-07

  • The default hashlib.sha1 may not be available in FIPS builds. Don't
    access it at import time so the developer has time to change the default.
    :issue:5448
  • Don't initialize the cli attribute in the sansio scaffold, but rather in
    the Flask concrete class. :pr:5270

v3.0.2

Compare Source

Released 2024-02-03

  • Correct type for jinja_loader property. :issue:5388
  • Fix error with --extra-files and --exclude-patterns CLI options.
    :issue:5391

v3.0.1

Compare Source

Released 2024-01-18

  • Correct type for path argument to send_file. :issue:5336
  • Fix a typo in an error message for the flask run --key option. :pr:5344
  • Session data is untagged without relying on the built-in json.loads
    object_hook. This allows other JSON providers that don't implement that.
    :issue:5381
  • Address more type findings when using mypy strict mode. :pr:5383

v3.0.0

Compare Source

Released 2023-09-30

  • Remove previously deprecated code. :pr:5223
  • Deprecate the __version__ attribute. Use feature detection, or
    importlib.metadata.version("flask"), instead. :issue:5230
  • Restructure the code such that the Flask (app) and Blueprint
    classes have Sans-IO bases. :pr:5127
  • Allow self as an argument to url_for. :pr:5264
  • Require Werkzeug >= 3.0.0.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@platform-automation-dnastack
Copy link

platform-automation-dnastack commented Feb 20, 2026

Task linked: CU-86b4umhm1 Setup Renovate server and introduce it to wallet

@github-actions
Copy link

github-actions bot commented Feb 20, 2026
edited
Loading

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines Covered Coverage Threshold Status
10675 5949 56% 30% 🟢

New Files

No new covered files...

Modified Files

No covered modified files...

updated for commit: 431769d by action🐍

@dnastack-renovate dnastack-renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 095c473 to 431769d Compare February 23, 2026 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate-security

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@platform-automation-dnastack